What’s Wazuh?

10150608476?profile=RESIZE_400xWelcome to the new normal, the cybersecurity threat landscape has gotten progressively more complex and dangerous.  The online world is full of data thieves, extortionists, and even state actors looking to exploit vulnerabilities in businesses' digital defenses.  The cyber threat actors have the upper hand at the moment. Part of the reason for that is the fallout from the rapid digitization made necessary by the COVID-19 pandemic.  According to research on the subject, more than half of businesses have yet to mitigate the risks created by that digitization. And when you add a persistent shortage of cybersecurity workers to that fact, you have the makings of a scary situation.[1]

There are many plans and actions that organizations can take to augment their defenses as they look to mitigate cyber risks.  Surprisingly, some of those options will not cost them anything.  Note to readers; this is not a product endorsement of any kind.  Red Sky Alliance wants to inform its members, clients, and readers of solutions that can help them protect against cyber-attacks. A recent example of that is the open-source security platform Wazuh  https://wazuh.com  It offers businesses a free solution to the following top six cyber threats.

Ransomware and Malware - Of all of the digital threats businesses now face, there is one that most experts agree is the most pressing. It is the threat of ransomware. Ransomware is a type of malware designed to hold business systems and data hostage using sophisticated encryption technology. Once it gets into a business network, it will encrypt valuable data and demand payment to return access to that data to the business.

There is never any guarantee that a payment will result in the data getting released. Do you think that crooks are trustworthy?  It is estimated that 80% of businesses that do pay to get their data back end up getting retargeted for a second attack. The only cost-effective way to deal with ransomware is to avoid it in the first place.

There are a few ways that Wazuh accomplishes this on the machines that are running it. First, it uses a "Scanless Vulnerability Detection" module that works with a CVE (Common Vulnerabilities and Exposures) database to search for vulnerabilities in the software and hardware. Second, it looks for misconfigurations that could allow malicious software to propagate.  Third, it conducts file system surveillance using the "File integrity monitoring" feature to look for the telltale signs of a ransomware attack in real-time.

Network-Based Intrusions - One of the reasons that threats like ransomware, backdoor, and malware are so dangerous is their ability to spread within a compromised business network.  That means a security flaw on a single machine could end up leading to a company-wide cyberattack.  And the only way to spot something like that is to monitor network traffic to look for unusual activity.

Wazuh does this by integrating with another industry-leading open-source solution called Suricata  https://surita.io    It is sophisticated intrusion detection, prevention, and network security monitoring platform that can detect cyber-attacks and halt.  In addition to another free component OwlH https://owlH.com , network managers can see a complete visualization of network utilization to spot potential threats before they cause real damage.

Vulnerable and Outdated Software - The majority of cyber-attacks exploit vulnerabilities that software vendors are already aware of. The reason they can do that is the fact that computer users and particularly business users are lax at keeping their software up to date.  By installing all updates and patches on time, businesses can gain an instant upgrade to their cyber defenses.

Wazuh can help organizations by performing network-wide vulnerability scans that can identify known security flaws.  By using a single interface, it identifies missing security patches that will fix the problems when available. That makes it easier for administrators to patch known vulnerabilities and keep track of those for which patches aren't yet available.

DDoS Attacks - A common cyber threat involves the use of internet traffic to paralyze a targeted system or network.  It is known as a distributed denial of service (DDoS) attack, and while not typically destructive, it can lead to hours of downtime for a target. Cybercriminals carry out such attacks by harnessing the power of thousands of compromised computers and devices to direct a wave of meaningless internet traffic toward their target.  Eventually, the affected system runs out of resources to deal with it and is effectively knocked offline.

There are built-in out-of-the-box rules in Wazuh that can identify brute-force and DDoS attacks by correlating multiple authentication failure events. In this way, the platform can help network administrators to short-circuit ongoing DDoS attacks and stop brute-force hack attempts aimed at open SSH and RDP ports.

Data Leaks - One of the biggest cyber threats organizations have to deal with is the chance that their proprietary or other sensitive data will fall into the wrong hands. Often, it occurs when an unauthorized user gains access to a protected system and exfiltrates data. At other times it happens through the carelessness or malice of a disgruntled employee or other insiders.

To protect against the former, Wazuh has a range of real-time monitoring features that can detect unauthorized access via custom rules, alerting managers when malicious commands are executed.  It can also monitor employees' use of external storage devices like USB drives to help administrators enforce the business's data security policy. It can even run audits of any command-line use by authorized users, to look for attempts at bypassing GUI-based restrictions on data access.

Regulatory Compliance - Cybercriminals are not the only digital threat that businesses have to deal with. They may also face repercussions from failing to abide by regulatory standards they are subject to. As the number of those standards continues to increase, there is an increased burden on businesses to guarantee their compliance.

The good news is that Wazuh is built with compliance in mind. Its built-in detection and logging rules are mapped to various major compliance requirements. This means it can automatically attach compliance information to the alerts it generates.

The regulatory frameworks it supports out of the box include:

  • Trust Services Criteria (TSC SOC2)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • NIST Special Publication 800-53 (NIST 800-53)
  • General Data Protection Regulation (GDPR)
  • Good Practice Guide 13 (GPG13)
  • Health Insurance Portability and Accountability Act (HIPAA)

Those features aid administrators in the complex task of compliance and in fulfilling their reporting requirements as necessary.

The Bottom Line - The cyber threat landscape is continuing to evolve and presents an ever greater security challenge to businesses.  And for that reason, they must use all of the tools at their disposal to defend themselves.  Wazuh offers businesses a sophisticated security platform without the need for massive technology investment.  Do to its versatility it should be considered as an affordable solution for any business to meet the challenges of modern cybersecurity.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://thehackernews.com/2022/02/a-free-solution-to-protect-your.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!