RedLock is now a part of Palo Alto Networks - READ MORE
< Back

RedLock Increases Network Visibility with Support for Microsoft Azure Network Watcher

by   |   04.17.18, 5:59 AM

In public cloud environments, resources can be created - and then retired - in a matter of minutes. Nothing is static, making the management and security of cloud resources an on-going challenge. At RedLock, we believe that more information - and context - leads to better security decision making. Which is why RedLock dynamically discovers cloud resource changes and continuously correlates raw, siloed data sources including user activity, resource configurations, network traffic, threat intelligence, and vulnerability feeds to provide a complete view of public cloud risk.

Now, RedLock is excited to announce support for Microsoft Azure Network Watcher in the RedLock Cloud 360 platform. Azure Network Watcher is a monitoring, diagnostic and visualization service that helps you understand and troubleshoot your network at a scenario level. Using Azure Network Watcher you can collect Network Security Group (NSG) flow logs to monitor your virtual machines network security and security group views. The RedLock Cloud 360 Platform can monitor your Azure Network and alert on key metrics to rapidly identify configuration and security issues. The integration enables customers to visualize their network traffic in real-time and detect advanced threats.

"As more enterprises migrate to Microsoft Azure, protection of their cloud resources becomes a priority,” said Vijay Tinnanur, Principal Program Manager, Microsoft Azure Networking at Microsoft Corp. "With Azure Network Watcher, we are enabling security and compliance teams with industry-leading monitoring, diagnostic and visualization tools to provide expanded visibility. By working with RedLock, we can help ensure our customers can use their tools to ensure their enterprise is compliant and secure.”

Use Cases

The following Use Cases show the power when combining using Azure Network Watcher and RedLock Cloud 360 Platform.

1. Detect malicious network traffic

Are you concerned about malicious traffic compromising your cloud resources? RedLock can detect these breaches and provide real-time alerts. By ingesting flow log information together with third party threat intelligence feeds, RedLock can classify suspicious traffic and highlight its location as shown in the following screenshot.

RedLock | Investigate Tab with Azure Demo

Drilling down in the graph above provides additional context about the malicious traffic to the cloud resource as shown below.

RedLock | Security Context for Azure

2. Detect Internet traffic to a database

With RedLock, you can create queries to detect when databases are exposed to the Internet and if there are potential data exfiltration attempts. In order to accurately identify such risks, the platform must be able to understand the context behind a scenario. The RedLock Cloud 360 platform profiles applications using machine learning, and in this example, detects that the VM running in Azure environment is a MongoDB instance. The platform then correlates flow logs and third-party threat intelligence feeds to the MongoDB instance; it determines the database is being queried by suspicious IPs. Correlating disparate data sets enabled the platform to determine that this is a high-risk situation.

RedLock | Investigate Suspicious IPs to Database
In addition, RedLock produces complete audit trails to enable rapid investigation and response. You can determine which user created this workload and when, as well as receive remediation recommendations as illustrated below.
RedLock | Audit Trail


3. Detect cryptojacking and other types of compromises

Cryptojacking, the practice of stealing compute resources to mine cryptocurrency, has been highlighted in a number of recent news stories. The most prominent incident is the Tesla attack, where hackers were performing crypto mining from one of Tesla’s Kubernetes pods. RedLock can detect cryptojacking in real-time (see the following example) as well as detect other host and network threats.

RedLock | Cryptojacking Detection 

Onboarding prerequisites for Azure Network Watcher Flow Log Ingestion

For Azure Network Watcher, RedLock must ingest the flow logs to obtain network traffic data. This is a prerequisite for visualizing network topology, performing investigations and also applying network policies. To enable network monitoring in Azure, you must turn on flow logs for one or more of your network security groups. To do this in the Azure portal, go to Network Watcher > NSG Flow Logs, enable flow logs for all the security groups that you want RedLock to ingest, as shown in the following screenshot.

RedLock Azure Screenshot

Please refer to the RedLock admin guide for more detailed instructions.

With the RedLock Cloud 360 platform support for Azure Network Watcher, you can gain deep, real-time visibility into your Azure Network and get alerts to rapidly identify compliance and security issues. This powerful integration leads not only to deeper visibility into your Azure Cloud, but provides the investigative and remediation tools to ensure your cloud resources are continuously monitored and protected.


See the RedLock Cloud 360 platform in Action

RedLock | Microsoft Azure

Get a demo to see how RedLock can help you with:

  • Security governance
  • SOC enablement
  • Compliance assurance

Request Demo


Related Posts