After installing Coralogix Security Traffic Analyzer (STA) and choosing a mirroring strategy suitable for your organization’s needs, the next step would be to set the mirroring configuration in AWS. However, the configuration of VPC Traffic Mirroring in AWS is tedious and cumbersome – it requires you to create a mirror session per network interface of every mirrored instance, and just to add an insult to injury, if that instance terminates for some reason and a new one replaces it, you’ll have to re-create the mirroring configuration from scratch.
Each deployed STA instance holds a mirroring filter indicator tag.
Important Notes:
To configure the mirroring strategy, follow these steps:
sta.coralogix.com:mirror-filter-indicator-tagname
, and copy the value. sta.<BUCKET_NAME>.coralogix.com:mirror-filter-id
)tmf
(Traffic mirror filter), head to the VPC -> Mirror filters
, and locate the following name: STA - Mirror Filter - <MIRROR_TYPE>
All/Moderate/Essential
, and copy the Filter ID
valuesta.<bucket-name>.coralogix.com:mirror-filter-id
– see section (1) above<SELECTED_FILTER_ID>
Now your instance is configured for mirroring to STA.
tmf
as a tag.tmfs
sta.conf
file, can be configured inside the STA and in the AWS S3 bucket – we suggest to do so using the bucket.When several STA instances are paralleling their work, they need to handle the communication between mirrored instances. Using balancing algorithms the STAs scan the mirroring instances, and split the load between them.
Pro Tip: You can use AWS “Resource Groups & Tag Editor” to quickly assign tags to multiple instances based on arbitrary criteria.
By default, STA mirrors all cloud traffic relevant to the selected strategy.
By mirroring all traffic you benefit from observability over the cloud’s traffic, which helps to monitor, investigate, and detect every suspicious activity. However, it is not free.
Cloud providers, such as AWS, bill you for every mirror, and by mirroring all traffic, the cost can be extremely high.
It’s important on one hand to reduce costs as much as possible, but on the other hand to not damage observability and STA’s abilities.
To do so, and stay with sufficient and productive observability, STA offers additional optimization to reduce cost while keeping the monitoring value.
In addition to strategy selection, STA has an inner handling configuration for mirroring mode:
dynamic mirroring
manual mirroring
Behind the scenes, the STA calculates the availability of each session, counts the traffic, and categorizes it by best practice principles and tight security measurements. On the fly, the STA decides if some session is currently not providing relevant visibility and if so, stops the mirroring for a period of time and this process is repeated.
This is achieved due to understanding the concept of any malicious attack – it’s never a one-action attack and is always spread over some timeframe.
The mode can be defined via sta.conf
file that can be changed locally in the STA or using the AWS S3 bucket’s sta.conf
file.
{ "automations": { "vpc-mirroring-auto-handler": { "mirror_handling_mode": "DYNAMIC" | "MANUAL" } } }