SIEM protects business

Wazuh was created in 2015 as a SIEM (Security Information and Event Management) platform and offers functions for detecting and responding to cyberthreats and controlling the status of systems that it covers. It is a free-of-charge tool based on the OSSEC (Open Source HIDS SECurity) system, which is a popular platform for detecting intruders in computer systems. The Wazuh system environment consists of three main components:

• Wazuh indexer is responsible for searching, storing and indexing data;
• Wazuh manager acts as the main module that collects and analyzes the received data;
• Wazuh dashboard constitutes the user interface.

Extensive capabilities

The platform is a HIDS (Host-Based Intrusion Detection System) tool, and therefore its primary way of collecting information is by obtaining it from systems via agents installed on them. These agents collect data on configuration, installed programs and modules, as well as other events.

The application has a function for managing groups. Using them, we are able to centrally and collectively manage the configuration of agents on multiple machines at the same time, which means greater efficiency and consistency of settings.

The options of integration with other tools make it easy to expand Wazuh’s capabilities. An example is interoperation with Suricata (to analyze network traffic) or Virustotal (file inspection for infection).
The resulting XDR (Extended Detection and Response) Wazuh tool is able to protect devices based on different systems (including Windows, Linux, MacOS or AIX).

The system in question is an open source tool, meaning that its code is publicly available. This allows users to check its features and configurations, which provides more control over the protection of their IT systems. In addition, the Wazuh community is active and supports the development of the tool by providing updates, patches and new features. The system continues to be developed and its documentation significantly facilitates the implementation process.

The capabilities of the tool are extensive. It collects and analyzes data from system logs in real time. After analyzing the information and comparing it with the rule database, it presents the results and, if necessary, sends alarms via e-mail or SMS (integration with AWS SNS). Examples of such notifications include successful/unsuccessful escalation of user privileges, an application error or use of all memory on the monitored system. Wazuh has over 4,000 default rules defined in its database that respond to events. In addition, the user can edit and write their own rules.

All of Wazuha’s capabilities are linked to MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) functionality. This involves correlating the events recorded by the tool with known techniques used by attackers. An example may be a multiple login attempt (a suspected password guessing attack) or unauthorized access to files using the directory traversal method. Thus, Wazuh makes it easy to spot a dangerous situation in a large number of logged incidents and to trigger an automatic response.

Wazuh – sample dashboards

Responding effectively to incidents

The problem faced by security teams is an effective response to incidents. When an incident occurs, it must first be detected, then analyzed, and only in the next step can it be adequately responded to. Unfortunately, this is a time-consuming process, which in practice makes it impossible to effectively react manually to incidents in real time.

Wazuh also comes to the rescue here, as it has the function of actively responding to threats. This option allows you to use ready-made scripts that enable automatic blocking of the user or the IP address of the attack source, among other things. In addition to ready-made scripts, the system allows you to program your own scripts and completely adapt them to your needs. With this feature, it is possible to virtually block an attack when it occurs.

In order to break into systems, criminals exploit existing vulnerabilities, that is, gaps in operating systems or installed applications. The basic countermeasure is to make timely updates that will eliminate these vulnerabilities. Wazuh will also help you in this matter, since its primary function is to monitor the system for vulnerabilities.

The knowledge base for Wazuha is the National Vulnerability Database (NVD) and operating system providers. Wazuh informs the user about the level of threat, the unique CVE identifier, the name of the application affected by the vulnerability, the current version of the application and the recommended version that patches the indicated vulnerability.

The system also scans selected files for their integrity (FIM, File Integrity Monitoring). For this purpose, metadata including file size changes, file access permissions, content changes, and MD5, SHA1, and SHA256 checksums are analyzed.

This product also enables analysis of compliance with regulations and standards. The tool analyzes system settings and available logs for compliance with security requirements. Currently, Wazuh supports such standards as: PCI DSS, RODO, NIST 800-53, GPG13, TSC SOC2 and HIPAA.

Wazuh is a comprehensive tool for monitoring, detecting and responding to cyberthreats, offering advanced event detection, security management and integration with other tools. As a free and open source solution, it can be an attractive choice for organizations looking for an effective and low-cost tool that will protect them against cyberattacks and help meet regulatory requirements related to data security.

However, the tool requires proper configuration and management to be fully effective in protecting against cyberthreats. Wazuh implementation may require advanced IT security knowledge and experience in configuring and managing security tools. All for One Poland’s consultants are here to help.

Waldemar Sokołowski, Board Member, IT Services Director, All for One Poland