Identifying Network Anomalies in Microsoft Azure – Cloud Workload Security and Azure Network Watcher

Monitoring the Microsoft Azure virtual network

Network Watcher is a native Azure service which provides performance monitoring and diagnostic services for Azure tenants. A plethora of logging and diagnostic data are available through Network Watcher which enable insights to your network performance and health. By combining the diagnostic and monitoring capabilities of Network Watcher with the automation and discovery and defense of elastic workloads provided by McAfee Cloud Workload Security (CWS), you now have a comprehensive toolset for end-to-end network visibility.

Network Topology 

Network Watcher enables you to visualize the complete network topology of your application in just a few clicks.

IP Flow Verify

A critical diagnostic tool is being able to check if a flow is allowed or denied to or from a virtual machine. With IP flow verify, you can easily validate whether the flow – ingress and egress – is allowed or denied. This includes combining data from source IP, destination IP, source port, destination port and protocol.

Security Group View

With Network Watcher, you can ensure proper security is present for audit and security measures with programmatic configuration of security groups. You also can increase security posture and more tightly configure firewall rules amongst resource groups by ensuring security groups are in place.

These are just a handful of diagnostic tools facilitated through Network Watcher, which are extensive and robust in data and can be utilized through Azure native APIs. While this context is rich and the logs are comprehensive, it’s critical to be able to quickly and efficiently identify threats and immediately enable actionable workflows that isolate root causes and diminish dwell time. Network Watcher and McAfee’s Cloud Workload Security (CWS) together form a firmly interlocked powerhouse that ensures tight audit controls, proper security control overlay, and effective remediation actions to provide an optimal threat mitigation solution.

McAfee Cloud Workload Security and Azure Network Watcher

As we have established a relative baseline understanding of Network Watcher, let’s peel back another layer to further analyze how Azure traffic flows into the mesh of interoperability with McAfee Cloud Workload Security (CWS).

How does Azure traffic work?

When Network Watcher and the Network Security Groups (NSG) Flow logs are properly enabled, Microsoft Network Watcher captures traffic flows in the Azure cloud. Once the flow logs are enabled for an NSG, Azure Connector collects traffic for successfully provisioned NSGs and VMs associated with them. The discovered traffic will be visible in the traffic visualization section of McAfee CWS.

How does CWS capture Azure Traffic?

  1. During every sync CWS verifies if there are any powered-on Azure instances in a region and if Network Watcher is enabled for that region. If the Network Watcher is not enabled for the region, CWS will enable the Network Watcher and configure that to a storage account.
  2. The next check is on the NSGs in that region. CWS verifies if NSG flow log is enabled for every NSG attached with powered-on instances. If the NSG flow logs are not enabled, CWS will enable NSG flow logs.
  3. Once the Network Watcher and the NSG flow logs are enabled, traffic flow logs are captured in the associated storage account. CWS reads these flow logs from the storage account and determines if there are any network anomalies associated with them.

NSG flow logs allow Network Watcher to view information about the traffic in the NSG. When Network Watcher is enabled, the retention period set by Cloud Workload Security for NSG flow logs is 15 days. You can reconfigure the retention period under Network Watcher in the Azure portal.

For more information on McAfee Cloud Workload Security, please visit the McAfee Cloud Workload Security page for feature and solution documentation.

To learn more about Azure Network Watcher and CWS integration check out the Azure Network Watcher blog post.

Leave a Comment

nineteen + 10 =