Monitor Network Security Group Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Network-014

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected Network Security Group configuration changes events within your Microsoft Azure cloud account.

An Azure network security group acts as a virtual firewall and contains security rules that allow or deny inbound and outbound network traffic to and from cloud resources provisioned within your Azure virtual network. For each network security group rule, you can specify source and destination, port, and protocol. You can deploy resources from several Azure cloud services into an Azure virtual network. Then, you can associate a network security group to each virtual network subnet and network interface within your virtual network.

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security

The Real-Time Threat Monitoring and Analysis (RTMA) feature can detect essentially any API call related to configuration changes made to your network security groups such as adding, updating or removing inbound and outbound security rules. The activity detected by Conformity RTMA could be, for example, a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers any of the following operational events:



"Create Network Security Group" – Creates a new Microsoft Azure network security group.

"Update Network Security Group" – Modifies an existing network security group.

If a network security group is created and/or modified by an inexperienced user, it can allow attackers to use port scanners and other probing techniques to identify applications and services running on your virtual machines and exploit their vulnerabilities. To adhere to Azure cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Conformity strongly recommends that you avoid as much as possible to provide your Azure users (except the network administrators) the permission to change the network security group configuration within your Azure cloud account.

"Create Network Security Group Rule" – Creates a new Azure network security group rule. You can create the security rule by using the Azure Portal, Azure Command Line Interface (Azure CLI), Azure PowerShell, or a REST API.

"Update Network Security Group Rule" – Modifies an existing network security group rule. For example, change the configured IP address to allow public access (i.e. '0.0.0.0') from the Internet.

Monitoring your Microsoft Azure cloud account for "Create Network Security Group Rule" and "Update Network Security Group Rule" events is essential for keeping your Azure virtual network and the resources within the network secure. With Conformity RTMA monitoring feature you can have complete visibility over your network security group rule changes. This can help you to reduce the time it takes to detect suspicious activity and ultimately prevent any accidental or intentional modifications that may lead to unauthorized access. Beyond prevention, you should be able to maintain the access to your Azure cloud resources secure by taking actions upon detection of any unusual activity at the network security group level and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a network security group rule to allow unrestricted inbound access to TCP port 22 (SSH), which increases the opportunities for malicious activity such as hacking, Man-In-The-Middle (MITM) and brute-force attacks.

"Delete Network Security Group" - Deletes a Azure network security group.

A network security group that is associated with a subnet or a network interface can't be deleted. If a network security group is disassociated and then deleted by an inexperienced user, your Azure virtual network configuration could be severely altered. To adhere to cloud security best practices and implement the Principle of Least Privilege (POLP), Conformity strongly recommends that you avoid as much as possible to provide your Azure users (except the network administrators) the permission to remove network security groups from your Microsoft Azure cloud account. The communication channels for sending RTMA notifications can be configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group deletion events are SMS, Email, Slack, Zendesk, ServiceNow, and PagerDuty.

"Delete Network Security Group Rule" - Deletes a Azure network security group rule.

To follow cloud security best practices and meet compliance requirements, you need to be aware of all the configuration changes made at the network security group level, including deletion operations. In this case, the activity detected by the Conformity RTMA feature could be a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers the "Delete Network Security Group Rule" operational event.


The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

Rationale

Monitoring configuration changes for your Microsoft Azure network security groups is crucial for keeping your cloud environment secure. With Conformity RTMA network configuration monitoring, you can gain complete visibility over your network security group changes. This can help prevent any accidental or intentional modifications that may lead to unauthorized access or other related security breaches. Beyond prevention, you should be able to maintain your Azure virtual network secure by taking actions upon detection of any unusual activity at the network level and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a network security group to allow unrestricted inbound access to a virtual network subnet, which increases the opportunities for malicious activity such as hacking and brute-force attacks.

References

Publication date Jul 1, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Monitor Network Security Group Configuration Changes

Risk level: High