Wazuh Guide: Perimeter Security and Protection Strategies

Imagine this situation: you’ve implemented all the security measures, purchased the necessary (and expensive) tools, and have even set them up, yet still, you can’t shake off the feeling of uncertainty…

However, this is still an overly optimistic picture. In most companies, information security is just starting to follow a structured path towards a brighter and safer future. Many processes are undefined or even non-functional, security products are not fully configured or implemented, and so on. There is no complete inventory of IT assets, network segments are unclear, as well as their security and routing.

That’s exactly how things stood in the company where I recently implemented a security system based on Wazuh. I had worked with this platform before and was familiar with its potential, so there was no doubt about the choice.

Using Wazuh, we first conducted an inventory to understand the landscape: the components of our infrastructure and potential weaknesses. We then configured security event collection and activated the Vulnerability Management system. This allowed us to gain a clear understanding of the current state of the infrastructure and establish a foundation for further strengthening.

In this article, I’ll break down the key aspects of how Wazuh operates, the advantages it offers, and how it can serve as a foundation for robust security for companies of any size. Additionally, I will share practical examples of its use.

What is Wazuh?

Wazuh is a modern, multi-functional open-source platform. It combines features for intrusion detection, information system protection against a wide range of threats, and incident response. Wazuh monitors and analyzes data correlations based on rules. This enables the detection of abnormal activities and provides timely threat information.

The modular structure combined with the open-source nature of the platform ensures scalability and flexibility, making it easier to adapt to the needs of organizations of various sizes. Wazuh collects, normalizes, and correlates data from different sources, such as agents installed on operating systems, syslog logs, and more. Additionally, Wazuh can be integrated with other security systems and analytics platforms.

Here are the main types of events handled by Wazuh:

• Application and system errors
• Notifications about incorrect configurations
• Information on malicious activities or attempted intrusions
• Alerts on policy violations and other security breaches
• Changes to file attributes or integrity violations
• Software scanning results
• Details about the operating system, running processes, installed applications, and inventory information (such as serial number, processor type, RAM capacity, etc.)

High-Level Architecture of Wazuh

Let’s take a look at the different types of component interactions.

Agents and Manager:
– Agents are deployed across different devices and constantly monitor the system for changes, potential threats, or anomalies.
– The collected data is sent to the manager.

Manager and Indexing Service:
– The manager analyzes the data received from the agents and generates alerts when threats are detected.
– Processed data and alerts are sent to the indexing service via an API on port 9200 (TCP) for storage and further analysis.

Manager and Database:
– The manager interacts with the database to store configurations, security policies, and other necessary information.

Dashboard and Manager/Indexing Service:
– The dashboard communicates with the manager via an API on port 55000 (TCP) to retrieve information.

Users and Dashboard:
– Users access the system through the web interface of the dashboard.

Use Cases

Let’s take a look at how Wazuh can be integrated into an organization’s infrastructure.

The diagram above illustrates the organization’s operational workflows. Employees’ devices and service virtual machines are equipped with Wazuh agents, which enable the tracking of security-related events, including log collection and activity monitoring. This data is centrally sent to the main Wazuh analytics system for detailed analysis.

The events received from the Web Application Firewall (WAF) are also sent to the Wazuh server. This process helps to continuously monitor attacks on web applications.

Logs from Identity and Access Management (IAM) systems are also integrated with Wazuh. Analyzing these logs enables the system to detect unusual user activity, as well as log successful and unsuccessful authorization attempts. This is crucial for timely identification of potential account compromises.

Event data from VPN connections sent to Wazuh includes information about both successful and unsuccessful connection attempts via VPN. This is useful for identifying attacks such as password guessing and for detecting login attempts from unusual countries.

So, we have integration with WAF, IAM, and VPN, which, let’s admit, is quite impressive.

Wazuh allows you to create custom decoders and rules for detecting various security events. Decoders normalize events, simplifying their analysis, while rules enable prompt notification of critical incidents.

Let’s explore some practical examples of how these features can be used.

Securing Active Directory

With configured rules, Wazuh users can analyze Directory Replication Service (DRS) events from Windows event logs. This is particularly useful for detecting anomalies in replication requests that are characteristic of DCSync attacks. By setting appropriate rules for specific EventId and their properties, the system will provide timely alerts about suspicious activities.

The rules can extract and analyze requests to the Kerberos Ticket-Granting Service (TGS) from event logs. A rule that tracks frequent TGS requests, especially when related to service accounts, helps in detecting attempts at Kerberoasting attacks.

Additionally, by collecting NTLM authentication events, Wazuh assists in detecting pass-the-hash attacks. Rules configured to identify specific patterns of behavior generate alerts when someone uses credentials in a suspicious manner.

Here’s an example of how this can be configured using rules for Wazuh.

By following these simple steps, we receive notifications about basic attacks on Active Directory. The architecture is easily scalable.

“PowerShell Nuisances”

Wazuh provides the capability to integrate various logs and log files, allowing you, for example, to incorporate events from the Windows PowerShell log.

Once the relevant log is connected, you can create appropriate decoders and rules to record key events. However, without filtering incoming data, there’s a risk of receiving too many events, including irrelevant ones, since all log entries will be processed. To address this issue, the next step involves creating a dictionary of commands to monitor and incorporating lists of commands that pose potential risks.

How can this be implemented? Add the path to the dictionary of “dangerous” commands in the main ossec.conf configuration file.

Next, let’s write the rules.

By configuring Wazuh to monitor only potentially dangerous commands, you can reduce the number of false alerts, which simplifies monitoring and enhances its effectiveness.

Wazuh and Databases

The scalable log monitoring architecture in Wazuh supports seamless integration with PostgreSQL logs (postgresql-*-main.log). By connecting PostgreSQL logs, the system can record critical database events in real-time, such as database creation and deletion, changes in table structure, and data manipulations.

Wazuh uses decoders and rules to monitor PostgreSQL logs, allowing it to detect and record suspicious or unauthorized activities involving the database.

For example:

With this configuration, Wazuh will also alert you about unauthorized manipulations with databases.

Swift Detection of Emerging Vulnerabilities

By using the Wazuh API, you can quickly retrieve data about package versions and configurations from each connected agent. This approach is especially useful when the vendor has not yet patched a vulnerability in the OS. Wazuh enables you to identify vulnerable hosts in advance based on the version of a package that contains a known vulnerability. This can be utilized until a patch is released.

Open Source and Domestic Operating Systems

Wazuh is compatible with RED OS, Astra Linux, and other distributions that you might encounter with clients. To work with them, you can simply edit /etc/os-release, but due to discrepancies in the package base descriptions, this might lead to false positives.

The correct approach is to rebuild the packages from the source code and integrate RED OS or Astra Linux as new providers within the Wazuh environment. This will enable Wazuh to precisely scan and analyze domestic distributions.

Wazuh and Docker Integration

The Wazuh module for Docker (Docker-listener) enables tracking of events related to key Docker commands and actions that affect container management. Specifically, the module logs commands such as docker push, docker pull, docker kill, among other important operations. These rules are available “out of the box,” requiring only the configuration of the Docker-listener module.

Integration with External APIs

Wazuh Integrator enables connections to external APIs and various tools. By default, it’s configured for several well-known platforms, but it offers flexible settings, allowing you to configure custom integrations.

For instance, integration with a SOAR (Security Orchestration, Automation, and Response) system allows you to unify solutions into a single system and automate incident response. Additionally, you can connect Wazuh to VirusTotal for threat analysis. And this is just a small portion of what this module can offer.

Wazuh and SCA Benchmark

Security Configuration Assessment (SCA) is an audit of the security settings of an organization’s systems, ensuring they comply with established policies. One of the main strategies for endpoint protection is hardening, which involves minimizing vulnerabilities.

Software Composition Analysis (SCA) not only helps identify and assess vulnerabilities but also suggests corrective measures for addressing them. This significantly reduces the attack surface and enhances the overall resilience of the system.

The SCA module in Wazuh regularly scans monitored endpoints to identify vulnerabilities and deviations. This process relies on policies that contain a set of rules to check the current system configurations.

Policy files define the conditions for meeting security requirements. For example, SCA (Security Configuration Assessment) checks for the presence of files and directories, registry keys and values, running processes, and recursively analyzes directory contents to detect anomalies.

Wazuh leverages CIS Benchmarks to automatically assess system configurations for compliance with security requirements. During scanning, it identifies deviations from CIS standards.

Conclusions

I believe I’ve demonstrated that Wazuh is not just another tool, but a comprehensive platform that can be easily adapted for various tasks. It’s a versatile tool in the security arsenal: from protecting Active Directory and working with PowerShell to safeguarding databases and swiftly identifying vulnerabilities. Wazuh supports all operating systems, integrates with Docker, and external APIs.

In summary, the benefits for company employees are clear: by mastering Wazuh, specialists significantly enhance their knowledge base, making them more competitive in the IT and cybersecurity job market. For company owners, having a Wazuh expert on staff can lead to substantial savings on enterprise cybersecurity products, particularly when starting to consider cybersecurity solutions.