The Criminal Justice Information Services (CJIS) security policy 2022, version 5.9.1, establishes the standards for safeguarding sensitive criminal justice information (CJI) in the United States. Issued by the FBI, this policy specifies the necessary security measures to maintain the confidentiality, integrity, and availability of CJI throughout its lifecycle. It imposes stringent controls on data access and exchange, incident response, and physical protection against unauthorized access and cyber threats.

Compliance with the CJIS security policy is vital for agencies handling CJI, ensuring strong security amid evolving threats and protecting sensitive data crucial for public safety and investigations. Adhering to these standards maintains public trust, mitigates security risks by implementing best practices, and avoids legal and regulatory penalties. It enables secure information sharing and collaboration between agencies, enhancing law enforcement operations and protecting the integrity of the criminal justice system.

How Wazuh helps to meet CJIS requirements

Wazuh is an open source security platform that helps organizations meet the requirements of the CJIS security policy 2022, version 5.9.1. It offers comprehensive solutions including threat detection, log data analysis, file integrity monitoring, and vulnerability detection to protect sensitive criminal justice information (CJI). These capabilities ensure the confidentiality, integrity, and availability of CJI helping organizations enhance their security posture against unauthorized access and cyber threats.

Wazuh SIEM and XDR

The Security Information and Event Management (SIEM), and Extended Detection and Response (XDR) capabilities of Wazuh help organizations monitor, detect, and respond to security threats in real-time. According to the CJIS security policy, organizations must have the controls to intelligently determine circumstances constituting a security incident, and be able to detect malicious code and ransomware execution. By collecting and analyzing log data from various sources, Wazuh provides visibility which facilitates threat detection and timely incident response thereby reducing the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR).

In this blog post, we describe how the  following capabilities of the Wazuh SIEM and XDR help to comply with key CJIS requirements including incident response, auditing and accountability, and information integrity.

  • Threat detection
  • Incident response
  • Vulnerability detection
  • File Integrity Monitoring (FIM)
  • Network security monitoring

Threat detection

Wazuh adopts behavior-based threat detection to monitor and analyze endpoint behavior to identify abnormal patterns. It comes with built-in threat detection rules and also integrates with external APIs and alerting tools such as VirusTotal, Maltiverse, and Slack to ensure a relevant and customizable experience for users. This enriches the detection and alerting capabilities of Wazuh which increases an organization’s capability to detect both known and previously unknown threats.

Users can also create custom rules to detect security incidents and generate alerts when events triggering these rules are detected. This ensures organizations are compliant with the CJIS security policy Incident Detection and Analysis section 5.10.2 that states agencies must have processes and systems in place to detect, respond to, and mitigate incidents. You can find some use cases in the malware detection section of the Wazuh documentation. 

The configuration below shows how Wazuh integrates with some of the external sources mentioned previously:

<!-- Integration with Slack -->
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
  <level>10</level>
  <group>multiple_drops,authentication_failures</group>
  <alert_format>json</alert_format>
  <options>{"pretext": "Custom Title"}</options> <!-- Replace with your custom JSON object -->
</integration>

<!-- Integration with VirusTotal -->
<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
  <timeout>30</timeout>
  <retries>5</retries>
</integration>

<!-- Integration with Maltiverse -->
<integration>
  <name>maltiverse</name>
  <hook_url>https://api.maltiverse.com</hook_url>
  <api_key>API_KEY</api_key> <!-- Replace with your Maltiverse API key -->
  <alert_format>json</alert_format>
</integration>

<!--Custom external Integration -->
<integration>
  <name>custom-integration</name>
  <hook_url>WEBHOOK</hook_url>
  <level>10</level>
  <group>multiple_drops,authentication_failures</group>
  <api_key>APIKEY</api_key> <!-- Replace with your external service API key -->
  <alert_format>json</alert_format>
  <options>{"data": "Custom data"}</options> <!-- Replace with your custom JSON object -->
</integration>

In this configuration:

  • <integration> – the configuration block for integrating with external APIs
  • <name> – allows user to specify the name of platform to integrate with
  • <hook_url> – allows user to specify the hook URL for the service
  • <api_key> – authentication key for the external service
  • <alert_format> – the alert format

In addition, Wazuh offers users the capability to integrate with custom APIs to enrich threat detection.

The image below shows threat detection alerts generated on the Wazuh dashboard.

CJIS Wazuh dashboard

Incident response

Section 5.3 of the CJIS security policy which addresses Incident Response specifies the necessary steps for incident response, which involve identifying, addressing, and resolving security incidents. Identification in this case requires organizations to detect security incidents through continuous monitoring and alerting. Addressing and resolving the incidents means implementing strategies to contain and prevent further damage.

Wazuh helps organizations to respond to incidents by utilizing the Active response module which runs automated actions when certain threats are detected. There are several out-of-the-box response actions which include disabling an account, blocking suspicious IP addresses, and deleting suspicious and malicious files. Wazuh also allows organizations to customize automated response actions to fit their requirements.

In the configuration below, we show how Wazuh responds to an incident by utilizing the active response module. In this use case, Wazuh uses the custom FIM rule 110002 to detect when a file is added to a monitored directory on an endpoint. This rule generates an alert on the Wazuh dashboard which helps security analysts determine the exact time a change occurred and the details of such change. To respond to this, once a file addition is detected, the active response configured triggers the remove-threat command which runs the script to remove the added file restoring the system back to the previous state.

 <command>
    <name>remove-threat</name>
    <executable>remove-threat.py</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>110002</rules_id>
    <timeout>60</timeout>
  </active-response>

In this configuration:

  • <name> – allows user specify the command to be utilized from the list of available out-of-box commands
  • <executable> – specifies the script to be executed by the command
  • <location> – states where the action should be performed which is on the monitored endpoint
  • <rules_id> – specifies the rule that triggers the active response

The below alert shows the response action taken to remove a threat on a monitored endpoint.

Active Response

Vulnerability detection

The CJIS security policy includes specific guidelines regarding vulnerability detection to ensure the security and integrity of criminal justice information. According to section 5.10.4 System and Information Integrity Policy and Procedures of the policy, organizations are required to establish and maintain mechanisms for detecting, identifying, and reporting vulnerabilities in their information systems. These measures are essential for mitigating potential threats and safeguarding sensitive data. Wazuh scans monitored endpoints to identify outdated software, missing patches, and other vulnerabilities. This capability is not limited to on-premises infrastructure but also cloud environments.

Key aspects of vulnerability detection for organizations in the CJIS security policy include:

  • Detection and reporting
  • Timely remediation

Detection and reporting

Wazuh aggregates vulnerability information from external sources, including Canonical, Debian, Red Hat, Arch Linux, ALAS, Microsoft, and the NVD, into the Wazuh Cyber Threat Intelligence (CTI) repository. Wazuh continuously monitors and collects inventory from monitored endpoints such as operating systems, installed software, and configurations. This inventory data is correlated with the Wazuh CTI information to identify known vulnerabilities.

A vulnerability scan is triggered when a new package is installed or an existing one is updated, ensuring that new vulnerabilities are detected promptly. When a vulnerability is identified, alerts are generated and displayed on the Wazuh dashboard informing the security team about the severity, affected assets, and recommended remediation steps.

The image below shows a summary of the vulnerability data on the Wazuh dashboard.

Vulnerability data

The Wazuh dashboard shows the system inventory for each endpoint, allowing users to see when new vulnerabilities are discovered.

Wazuh dashboard system inventory

Wazuh keeps detailed logs and creates reports of all identified vulnerabilities and provides remediation recommendations. This documentation is crucial for audits and helps organizations show their compliance with the CJIS security policy. The reports can be personalized and scheduled to be sent to the right people, promoting transparency and accountability. Wazuh also enables users to download a report containing events related to discovered and resolved vulnerabilities. This helps identify endpoints with unresolved vulnerabilities and keep track of remediation activities.

Timely remediation

Prioritizing remediation efforts helps to ensure that resources are allocated in the most effective manner and allows organizations to address issues in a timely manner. Wazuh facilitates timely remediation by generating alerts and reports when vulnerabilities are detected. Wazuh assigns severity levels to the detected vulnerabilities and provides detailed information about the vulnerabilities, enabling security teams to prioritize and address critical issues promptly. In addition, Wazuh helps organizations to track remediation of identified vulnerabilities and report status.

CJIS timely remediation

File Integrity Monitoring

Maintaining system integrity is one of the core security measures outlined in section 5.10 System and Communications Protection and Information Integrity of the CJIS security policy, and Wazuh supports organizations in this area with its File Integrity Monitoring module.

The Wazuh File Integrity Monitoring (FIM) module ensures the integrity of files and directories by tracking and recording all changes in real time. This module continuously monitors specified files and the Windows registry for modifications, additions, deletions, and permission changes, providing detailed audit trails crucial for forensic analysis and compliance reporting. Administrators can customize watch lists, generate alerts for unauthorized changes, and integrate with other security tools.

The CJIS security policy requires robust mechanisms to ensure the integrity of sensitive information. Some key capabilities of Wazuh FIM that help organizations meet these are:

  • Continuous monitoring of files and directories ensures that unauthorized or suspicious changes are detected immediately, with logging of these changes and generation of alerts to ensure a proactive response, preventing data breaches and unauthorized access to sensitive data.
  • Customization flexibility that allows organizations to specify which files to monitor, helping them to focus on protecting the most critical and sensitive information as required by the CJIS security policy.

The FIM use cases section of our documentation demonstrates how to utilize the Wazuh FIM module to address key security issues.

The sample configuration below shows some key attributes of Wazuh FIM that allows users to maintain the integrity of their system:

<!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>
    <directories realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
    <alert_new_files>yes</alert_new_files>
    <ignore>/etc/mtab</ignore> 
  </syscheck>

In this configuration:

  • <alert_new_files> – alerts when new files are added to a monitored directory
  • <directories realtime=”yes”> – allows user to specify the directory to be monitored in real-time
  • <ignore> – allows user to specify files and directories to ignore or exclude from checks

Below are alerts generated on the Wazuh dashboard by events from the Wazuh FIM module:

Wazuh FIM module

In addition to alerts displayed on the Integrity Monitoring module of the Wazuh dashboard, users can also generate and download a report of the alerts. This serves as an evidence of compliance with the CJIS security policy as it gives a summary of changes made on monitored endpoints within an IT infrastructure.

Network security monitoring

Wazuh integrates with reputable network monitoring tools to enhance log collection and threat detection by monitoring and analyzing network traffic. This integration streamlines the collection and analysis of security events, allowing organizations to centralize their security event data from various sources, including network security monitoring tools.

In our Network IDS integration POC, we show how Wazuh integrates with Suricata and uses the emerging threat Suricata ruleset to analyze network traffic and detect malicious communications.

The image below displays alerts generated by Wazuh through its integration with Suricata IDS:

CJIS integration Suricata ids

Conclusion

Wazuh helps organizations achieve and maintain compliance with the CJIS security policy through capabilities like threat detection and incident response, File Integrity Monitoring (FIM), vulnerability detection, and integration capabilities. These capabilities make Wazuh a useful platform for law enforcement and public safety organizations. Wazuh integrates with third-party solutions, such as malware analysis platforms, network monitoring tools, and cloud infrastructure, supporting CJIS compliance by enriching data and harmonizing security infrastructure.

By using Wazuh, organizations can monitor and protect sensitive criminal justice information, respond to incidents, and ensure data integrity. Wazuh not only helps achieve CJIS compliance but also strengthens the overall security posture, ensuring organizations are well-equipped to handle the evolving landscape of cyber threats.

References