Agentless Runtime Monitoring in AWS with Blue Hexagon Cloud Security – powered by Deep Learning

Enterprise security practitioners are facing incredible challenges today, be it due to the high demand to migrate to the cloud or to effectively secure their existing cloud real estate. Specifically, many organizations are struggling to translate the policies and threat protection from traditional network perimeters to their new cloud-based environments. Indeed, the software-defined nature of the cloud, with resources and services managed by the customer or managed by the cloud provider in a shared security responsibility model, forces practitioners to redefine cloud security, laying greater emphasis on monitoring all workloads at runtime and in real-time, for both external and internal threats.

To get full runtime visibility into workloads from the network vantage point, AWS introduced VPC Traffic Mirroring in 2019. Using VPC Traffic Mirroring, every packet hitting a network interface would be replicated out to security and monitoring appliances for use cases such as content inspection, threat monitoring, and troubleshooting — in real-time. Contemporaneously, Blue Hexagon announced cloud-native Network Detection and Response that leveraged VPC Traffic Mirroring to provide comprehensive L3-L7 network visibility and advanced threat protection against malware and adversaries, including defense against a broad spectrum of cloud network threats. However, until now, customers could only enable VPC Traffic Mirroring on their Nitro-based EC2 instances, leaving a gap in infrastructure coverage.

Today, AWS announced using VPC Traffic Mirroring to monitor and secure your AWS infrastructure. Amazon VPC Traffic Mirroring allows you to replicate the network traffic from EC2 instances within your VPC to security and monitoring services. Customers can now enable VPC Traffic Mirroring on additional instance types such as C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, and X1e that use the Xen-based hypervisor. This enables you to now uniformly inspect network traffic on these additional EC2 instance types using Blue Hexagon’s Agentless Cloud Security for AWS. This is available in all 22 regions where VPC Traffic Mirroring is currently supported.

[NOTE: VPC Traffic Mirroring is not supported on the T2, R3 and I2 instance types and previous generation instances. Follow the steps here to upgrade your instance type to gain traffic mirroring support, while also possibly increasing performance at a lower cost!]

In the remainder of this blog, learn how Blue Hexagon’s Cloud Security solution combines with VPC Traffic Mirroring to get comprehensive visibility and threat protection capabilities in your cloud environment through agentless runtime monitoring.

Blue Hexagon Cloud Security for AWS

Blue Hexagon is an AWS Advanced Technology Partner with a real-time deep learning solution for cloud visibility and threat defense. Blue Hexagon Cloud Security for AWS performs runtime monitoring of your workloads running in EC2 instances, containers in EKS Kubernetes nodes, or serverless Lambdas running in your VPCs. Blue Hexagon analyzes protocols, headers, and payloads in L3-L7 network traffic and in S3 storage; extracts millions of traits in real-time and feeds them to its Deep Learning AI models analyzing for malware and non-malware threats. Any discovered threats are remediated in real-time through integration with AWS Security Hub and AWS Lambda, with several integration playbooks provided out-of-the-box.

Text Box: Figure 1 - Real-time deep learning analysis with Blue Hexagon
Figure 1 – Real-time deep learning analysis with Blue Hexagon

Comparison of Agentless and Agent-based Runtime Cloud Monitoring

There are two broad approaches to runtime monitoring – agent-based and agentless. Agent-based monitoring typically involves deploying agent software in your workloads. Such agent-based monitoring of workloads and their network behaviors may be viable in a limited setting for specific use cases. However, in practice, agents are hard to deploy and manage, degrade performance, may be evaded or disabled by advanced threats, and are limited in their coverage of OS platforms (Linux / Windows / …) or managed platforms such as Serverless and Kubernetes. Furthermore, deploying cloud-connected agents may require you to open up communication channels and introduce third-party code/binaries, thereby weakening your security posture particularly for workloads in “air-gapped” cloud VPCs and subnets. In this context, the recent SolarWinds supply chain attack serves as a sobering reminder of the perils associated with the agent-based approach. Contrast this with agentless runtime monitoring with Blue Hexagon Cloud Security using Amazon VPC Traffic Mirroring:

  • Simple to deploy and manage: Workloads can be enabled for inspection automatically in the AWS infrastructure with no deployment or management overheads.
  • No downtime and minimal performance impact: Workloads need not be redeployed and since there are no agents running inside the workloads, there is no performance degradation (modulo network bandwidth on monitored instances).
  • Comprehensive visibility: Across all OS platforms (Linux / Windows / …) and across all EC2-based IaaS or PaaS resources (EC2 and EKS, as well as Lambda – in combination with Ingress Routing). Additionally, since VPC Traffic Mirroring operates in the AWS infrastructure layer, you can get network visibility even for “air-gapped” subnets or VPCs with traffic copied out to Blue Hexagon Cloud Security deployed out-of-band.
  • Invisible to threats and threat actors: With the right IAM policies in place, Blue Hexagon Cloud Security with VPC Traffic Mirroring provides complete visibility into network traffic – payloads, protocols and headers – without risk of evasion or tampering by attackers in the user space.

Finally, compared to next-gen firewalls or the native AWS Network Firewall which you may be using for inspecting “North-South” network traffic, Blue Hexagon Cloud Security with VPC Traffic Mirroring provides complete “North-South” and “East-West” visibility and threat defense, helping you defend against a broad spectrum of known and unknown threats with network observability.

Figure 2 - Blue Hexagon Cloud Security detects a broad spectrum of malware and non-malware threats with network observability, in real-time, at cloud scale
Figure 2 – Blue Hexagon Cloud Security detects a broad spectrum of malware and non-malware threats, in real-time, at cloud scale


Amazon VPC Traffic Mirroring is a revolutionary networking primitive to monitor network traffic in your VPC at the packet-level, and with today’s announcement, you are better positioned to deploy runtime monitoring more comprehensively in your AWS cloud environment. Combined with Blue Hexagon Cloud Security for AWS, powered by real-time deep learning AI, you can get hi-fidelity visibility and threat defense in real-time, at cloud scale, and without deploying any agents. An earlier AWS Partner Network (APN) blog provides a detailed step-by-step walkthrough of how to deploy Blue Hexagon Cloud Security with VPC Traffic Mirroring in your environment using CloudFormation templates. To get your Blue Hexagon Cloud Security license, contact Blue Hexagon security expert today.