SIEM Protection in 2023 | Wazuh

SIEM Protection in 2023 | Wazuh

2023, Mar 26    

SIEM Protetion with Wazuh

DATA Breaches today seem to come as features in the world of IT these days. Sites like this show a good list of Data breaches, Hacks, and Exposures in the IT industry. How do all these boiler room/start up companys stay up to date with protection when building applications for the masses? What are some ways to for them to get acclimated without breaking the bank, and how do you determine whats important in your infrastructure when it comes to PCI compliances, SIEM, CIS standards, and all other security available. Well, thats where Wazuh comes in. Why ask all these questions, Why Wazuh, lemme try and break that down what Wazuh is, how to pronounce it, ways to install it, and why it may work for you.

Wazuh and wallets

Wazuh, prounounced ‘wa-zoo’ (unconfirmed but common in the industry) is an SIEM. SIEM, which is pronounced “sim” combines a mix of security information management, and security event management. SIEM itself is an acronym that stands for Security Information & Event Management. Security Information, like data and log aggregation consists of reading and viewing data to help catch exploits, errors in logs, and other issues in data with alerts in place to prepare engineers for mitigating security vulnerabilities. Security Event Management cosists of monitoring and managing security vulnerabilities. Big named companies like Splunk, help with log aggregation and assist with providing logs for security breaches, data leaks, network leaks, and network logs. Other companies like SolarWinds can handle intrusion Detection and Threat Intelligence which can do things like manage hacks, data breaches, or review and report compliance checks to make sure servers are up to date. The bad thing about these applications is that they come with free trials that bind you to a cost per server licenses that can run up to $4,500 a month. Wazuh is free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Wazuh components

Wazuh is a security platform that provides unified XDR (extended detection and response) and SIEM protection for multiple endpoints and cloud workloads. Web servers, database servers, cahcing servers, whatever your working with, wazuh can help protect it. The site and docs would say something like this

Wazuh is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity monitoring, policy monitoring, rootkit detection, real-time alerting, active response, vulnerability detector, etc.

The solution is composed of a single universal agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. The Wazuh server and indexer can be installed on the same host but the dashboard should be installed on a different server. They can be configured in the cloud or, you can pay for a cloud configured platform through Wazuh (where they make their profit). However, this is an open source product, and one I use in my development environment, which means for this blog we will talk about setting up wazuh in your local dev environment as well.The setup can be used in production environments as well, but its suggested to look into whether this is a good fit for you or not first. Many companies will find solutions that seem to fit at one point, and then fail years down the road when no one with the experience is around to maintain it, so its important to test this out locally or talk to the Wazuh team about migration efforts. Lets break down the dev containers and components that break down this version of Wazuh.

  • The Wazuh indexer: The indexer is a full-text serach analytics engine that stores alerts generated by the Wazuh Server.
  • The Wazuh Server: analyzes the data received from the Wazuh agents and triggers alerts when threats or vulnerabilities are detected.
  • The Wazuh dashboard: is the web interface. The visualization for mining, analyzing, and navigating through your data.

Setup

Setting up Wazuh is best deployed using Wazuh’s documentation and their builds. You can find a links for setting up wazuh with docker. Lets break down the docker-compose file and other configuration settings required for sandbox and production servers. The official docs, where this was forked from

Local Deployment & docker-compose

If your following along wih the Wazuh docker repo you can check the README.md file for more documentation on setting up SSL certificates, dashboard access, and more.

To spin up wazuh in a local environment you can run the following.

$ git clone https://github.com/tmeralus/wazuh-docker)
$ cd build-docker-images
$ sh build-images.sh

More blogs about all of wazuh benefits will be provided.

Company Benefits of Wazuh

For most companies looking for a list of these features, wazuh provides all of them for F-R-E-E.

Endpoint Security
    Configuration Assessment
    Malware Detection
    File Integrity Monitoring

Threat Intelligence
    Threat Hunting
    Log Data Analysis
    Vulnerability Detection

Security Operations
    Incident Response
    Regulatory Compliance
    IT Hygiene

Cloud Security
    Container Security
    Posture Management
    Workload Protection

Keep all your data up to date with the latest security standards, analytics, and exploits can be costly. Wazuh helps limit that cost with your application/operations. From security log analysis to vulnerability detection, having an all in one solution to aggregate your data sounds like a win win. Maybe Caesars Palace could have saved millions if they had a solution like this. I am in no way a paid partner of Wazuh, nor do I have any affliation with them but when I come across a solution that I have integrated into a companies architecture I like to talk about it. So check it and and see for yourself.

In 2023, the year of layoffs, budget cuts, hacks, and vulnerabilities, I think Wazuh is a solid solution!

Twitter Facebook Linkedin