There is tons of low hanging fruit when securing your cloud hosted app at the network level. Just going through the basic checklist of restricting network access via security groups and installing an IDS dramatically decreases your attack surface. With modern agentless scanners you can seamlessly make sure that your application, at least on the network level, is secure!
However, even after creating an inventory of all your services, understanding which ports they need, restricting network access to what’s required and securing your databases, every fortress still needs a gate!
For most apps, that door is their public facing API. At the end of the day, all the information and business logic you’re trying to secure will flow through your API so its extremely important to monitor it and observe your API traffic from a security point of view.
There are two main issues with API monitoring for security teams. First, most security teams fall back to standard observability tools like Datadog, New Relic, Splunk etc… While these tools can be useful for identifying performance issues and optimizing your apps, they aren’t well suited for security purposes. Most observability tools are missing tons of critical features AppSec teams need:
In addition to not having the features most security teams need, most tools require changing code or installing an agent, spending dev cycles on something that isn’t top of mind for devs… we know how that goes :)
Security teams really need an out-of-band agentless observability solution thats tailored to fit their needs.
So how do we detect API traffic without changing any code or installing an agent? Fortunately, both AWS and GCP have support for traffic mirroring! With traffic mirroring you can mirror all network packets going in and out of one source machine to another machine to analyze.
In AWS you can mirror all network traffic for any Elastic Network Interface (ENI). This includes EC2 instances and Load Balancers. Since traffic mirroring is out-of-band, this adds no latency to your app.
In GCP traffic mirroring works about the same way! However, instead of mirroring the traffic for a network interface you can mirror the traffic for any subnet, instance or tag. In some cases this can be even more flexible.
You can learn more about how to setup traffic mirroring using Metlo in our docs for AWS and GCP. With Metlo you can deploy our Traffic Mirroring Destination instance and start mirroring traffic in just a few minutes.