Ensuring NIS2 compliance with Wazuh

| by Othniel Ebolum | Wazuh 4.8.2
Post icon

Network and Information Systems (NIS2) is a European Union (EU) legislation raising cybersecurity standards for businesses due to new cyber threats across the EU. It’s an update and expansion of the original NIS (Network and Information Systems) directive adopted in 2016. NIS2 broadens the scope to include energy, transport, banking, public administration, and space sectors. The directive requires organizations to manage risk, maintain corporate accountability, ensure business continuity during cyber incidents, and comply with strict incident reporting obligations.

NIS2 sets forth 10 minimum measures that organizations must adhere to, emphasizing areas like supply chain security, zero-trust authentication, and fostering a cyber-aware culture among employees. Compliance is critical, as failure to meet these requirements can result in severe penalties—up to €10 million or 2% of global turnover for essential entities. The EU has mandated that organizations comply with the NIS2 directive by October 2024. Organizations must proactively enhance their cybersecurity measures to avoid these risks and ensure robust protection against emerging cyber threats.

How Wazuh helps to meet NIS2 requirements

Wazuh is a unified Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) open source security platform that provides a range of capabilities to help organizations address some of the minimum measures of the NIS2 directive. Wazuh offers threat detection and response, File Integrity Monitoring (FIM), Security Configuration Assessment (SCA), and vulnerability detection capabilities for securing network and information systems as required by NIS2.

In this blog post, we examine how the following Wazuh capabilities support compliance with NIS2 extended sector scope and key requirements, including risk management and incident reporting.

  • Threat detection and response
  • File Integrity Monitoring
  • Security Configuration Assessment
  • Vulnerability detection
  • Incident reporting

Threat detection and response

Wazuh provides real-time monitoring, threat detection, and response to security incidents. Its effectiveness is crucial for proactive risk management under the NIS2 directive. With the expanded scope of NIS2 covering sectors such as energy, health, and other crucial organizations, Wazuh ensures security across these diverse environments.

Threat detection

Wazuh monitors endpoints running various operating systems both on-premises and in the cloud. Wazuh continuously monitors these endpoints for anomalies and potential security breaches, including the detection of malware that could compromise such endpoints. For example, by leveraging custom detection rules, Wazuh can identify specific threats, such as the Daolpu infostealer, which targets sensitive information. Wazuh analyzes log data and applies these custom rules to detect and respond to such threats, ensuring the security of your infrastructure. The image below shows alerts generated on the Wazuh dashboard when the Daolpu malware is run on a monitored endpoint.

NIS2 Threat Detection

Wazuh extends its capabilities to monitoring databases, which are critical components of many business operations. By monitoring databases like PostgreSQL and MongoDB, Wazuh collects and analyzes log data to detect unauthorized access attempts and other anomalies that could indicate an emerging threat. This capability is essential in sectors such as healthcare, where the integrity and security of sensitive data are paramount. 

Incident response

The NIS2 directive emphasizes the need for a structured and effective response to security incidents. The Wazuh Active Response module helps organizations meet this requirement by enabling automated, real-time responses to detected threats.

The Wazuh Active Response module allows Wazuh to execute predefined actions when specific events are detected. These actions can include blocking suspicious IP addresses, disabling compromised accounts, or removing malicious files, thereby mitigating the impact of a cyber-attack before it causes significant damage.

The Wazuh Active Response module includes.

  • Real-time execution: The Wazuh Active Response module ensures that response actions are executed in real-time, minimizing the window of exposure and helping to contain threats effectively.
  • Customizable actions: Organizations can define response actions tailored to specific needs, such as executing scripts to isolate affected systems or notifying security teams via integrated alerting tools.

When Wazuh detects a potential malicious attack from a known malicious IP address, you can configure the Wazuh Active Response module to immediately block the source IP address preventing further spread and data loss. The image below shows the Wazuh firewall-drop Active Response script blocking a known malicious host that was attempting an attack.

Active Response Module

By leveraging the Wazuh threat detection and incident response capabilities, organizations can detect security incidents and respond swiftly and effectively. This action ensures continuous compliance with the NIS2 directive and protects critical infrastructure from emerging cyber threats.

File Integrity Monitoring

Maintaining the integrity of data and systems is a key requirement under the NIS2 directive, and the Wazuh File Integrity Monitoring (FIM) module helps organizations achieve this requirement. The Wazuh FIM module monitors files, directories, and Windows registries for changes, ensuring that any unauthorized or suspicious modifications are detected immediately. This capability is essential for sectors like healthcare and public administration where data integrity is paramount. Implementing file integrity monitoring also aids in meeting several of the NIS2 minimum security measures. 

The Wazuh FIM module operates by tracking and recording modifications, additions, and deletions performed on specified files and directories across various environments in on-premises systems and cloud-based workloads. These activities generate alerts with relevant information helping to prevent data breaches and unauthorized access to sensitive information. Here is how the Wazuh FIM module aligns with specific NIS2 minimum measures.

  • Evaluation of security measures effectiveness: The detailed audit trails provided by the Wazuh FIM module allow organizations to evaluate the effectiveness of their security controls. By monitoring changes to critical files and directories, organizations ensure that their security measures function as intended and make adjustments to protect their environment and maintain NIS2 compliance.
  • Security procedures for employees with access to sensitive data: The Wazuh FIM module ensures that any unauthorized access or changes to sensitive data are immediately flagged, providing organizations with the oversight needed to enforce strict access control policies. This is crucial for meeting NIS2 requirements for securing sensitive data.

You can configure the Wazuh FIM module by specifying the paths and files to be monitored in the Wazuh agent configuration file. Below is an example of a  FIM configuration that monitors changes on the /root and /var/www/html/ directories while ignoring changes within /var/www/html/tmp directory:

<syscheck>
  <directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>
  <directories check_all="yes" realtime="yes">/var/www/html</directories>
  <ignore>/var/www/html/tmp</ignore>
</syscheck>

Where:

  • <syscheck> is the root element for the File Integrity Monitoring configuration. It contains all the settings related to FIM.
  • <directories> tag is used to specify directories to be monitored. Attributes within this tag define how the monitoring should be performed. For example, <directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>.
  • check_all="yes" checks all files within the monitored directory for any changes.
  • report_changes="yes" reports detailed changes in the monitored files, providing a before-and-after comparison when a modification is detected.
  • realtime="yes" monitors the directory in real-time, ensuring that changes are detected and logged as they occur.
  • <ignore> tag is used to specify files or directories that should be excluded from monitoring. This can be useful for directories that frequently change and do not contain critical security data. <ignore>/var/www/html/tmp</ignore> excludes the /var/www/html/tmp directory from being monitored, typically because it contains temporary files that would generate a lot of redundant alerts from their changes.

Alerts generated by the Wazuh FIM module are displayed on the Wazuh dashboard, providing real-time insight into any unauthorized or suspicious changes. This allows security teams to take immediate action to secure their systems.

FIM module

Security Configuration Assessment

NIS2 mandates that entities implement baseline security measures to protect against potential cyber threats. These measures include conducting risk assessments and establishing security policies. Wazuh supports organizations in meeting these requirements through its Security Configuration Assessment (SCA) module, which helps maintain secure system configurations in line with NIS2 guidelines.

The Wazuh SCA module conducts audits of system configurations, ensuring that configurations adhere to industry standards and internal security policies. This helps organizations meet the following NIS2 minimum measures.

  • Risk assessments and security policies for information systems: The Wazuh SCA module allows organizations to assess the security posture of their information systems by comparing configurations against predefined policies, such as CIS benchmarks. This ensures that systems are properly secured and that risk assessments are continuously validated.
SCA Module
  • Evaluation of security measures effectiveness: Wazuh generates detailed reports on configuration compliance, allowing organizations to regularly evaluate the effectiveness of their security measures. By identifying misconfigurations, Wazuh enables entities to take corrective actions promptly, ensuring that systems are protected against emerging threats. This enables organizations to meet NIS2 requirements for handling vulnerabilities and reporting them on time.
  • Training and IT hygiene: By continuously auditing configurations, Wazuh helps enforce security policies and best practices related to computer hygiene. Organizations can use the insights from these audits to train employees and improve overall security awareness.

An example SCA check cis_ubuntu20-04.yml below scans a monitored Ubuntu endpoint to verify if a  “deny all” policy was implemented on the endpoint’s firewall:

- id: 19098
    title: "Ensure ip6tables default deny firewall policy."
    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the ac   rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
    remediation: "IF IPv6 is enabled on your system: Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
    compliance:
      - cis: ["3.4.3.3.1"]
      - cis_csc_v8: ["4.4", "4.5"]
      - cis_csc_v7: ["9.4"]
      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
      - iso_27001-2013: ["A.13.1.1"]
      - mitre_mitigations: ["M1031", "M1037"]
      - mitre_tactics: ["TA0011"]
      - mitre_techniques: ["T1562", "T1562.004"]
      - nist_sp_800-53: ["SC-7(5)"]
      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
      - soc_2: ["CC6.6"]
    condition: all
    rules:
      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"

The image below shows the results of the SCA scan on the Wazuh dashboard, highlighting it as failed.

NIS2 SCA Scan

Wazuh agents periodically scan the configuration of monitored endpoints and compare the current settings against the predefined rules within the SCA policies. This comparison helps identify deviations or non-compliant configurations that could introduce security risks. 

The results of these assessments are reported back to the Wazuh server, where they are stored and reviewed via the Wazuh dashboard. Alerts are generated for passed, failed, and not applicable, providing detailed information about the configuration deviation and guidance on remediation steps. This process ensures that organizations can quickly address any misconfigurations, maintaining the integrity and security of their systems in line with NIS2 requirements.

By implementing Wazuh SCA, organizations can manage their security configurations, ensuring continuous compliance with NIS2 standards and protecting critical infrastructure from emerging threats.

Vulnerability detection

The NIS2 directive emphasizes security across system procurement, development, and operations, making vulnerability detection important to ensure proper policies and reporting. Identifying and mitigating vulnerabilities across all critical systems is necessary to protect against emerging threats. Wazuh detects vulnerabilities by analyzing the software inventory on monitored endpoints.

NIS2 Vulnerability Detection

Wazuh agents periodically collect a list of installed applications from each monitored endpoint and send this data to the Wazuh server, where it is stored in local SQLite databases. The Wazuh Vulnerability Detection module within the Wazuh server then correlates this software inventory with Common Vulnerabilities and Exposures (CVEs), which are aggregated and standardized in the Wazuh Cyber Threat Intelligence (CTI) platform. This process ensures that any vulnerable software is promptly identified.

The Wazuh CTI platform consolidates vulnerability data from diverse sources, such as operating system vendors and major vulnerability databases, and standardizes it into a common format. This ensures the accuracy and completeness of the vulnerability data used for detection.

Wazuh continuously updates its vulnerability information by querying the CTI API or an offline local repository. The Wazuh Vulnerability Detection module then scans the software inventory of the endpoints using the latest vulnerability data, identifying any packages that match the affected versions of known CVEs. The results of this detection process are stored in a per-agent vulnerability inventory, which tracks unresolved and resolved vulnerabilities and provides detailed alerts to users.

For Microsoft Windows systems, Wazuh includes an additional feature to detect and verify the application of security patches. The Wazuh Vulnerability Detection module checks for installed hotfixes and uses information from Microsoft to determine if these patches resolve the identified vulnerabilities, removing them from the list if resolved.The Wazuh Vulnerability Detection module is enabled by default. The following configuration block shows a configuration example for the Wazuh Vulnerability Detection module. You can find the Vulnerability detection settings in the Wazuh server configuration file:

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
   <enabled>yes</enabled>
   <hosts>
      <host>https://0.0.0.0:9200</host>
   </hosts>
   <ssl>
      <certificate_authorities>
         <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
   </ssl>
</indexer>

Leveraging this Wazuh capability enables organizations to mitigate emerging threats, ensuring continuous compliance with NIS2 security requirements.

Incident reporting

Under NIS2 requirements, organizations are required to report significant cybersecurity incidents to relevant authorities within specific timeframes. Wazuh enables organizations to monitor and track security events across various environments including network devices, servers, applications, and cloud services. This allows the detection of suspicious activities and the generation of detailed reports for compliance purposes. 

Some features and capabilities of Wazuh that help with NIS2 reporting obligations include:

  • Customizable data visualization
  • Email notifications
  • Custom alerting systems

Customizable data visualization

Wazuh offers flexible data visualization on the Wazuh dashboard that allows users to create custom dashboards tailored to their specific security and business needs. This feature enables organizations and relevant authorities to quickly visualize datasets and identify trends or anomalies in their network, facilitating more effective monitoring and faster incident response.

NIS2 Customizable data visualization

Email notifications 

Wazuh allows automated email alerts to be configured to notify security and other relevant teams of security events or breaches as they are detected. This real-time alerting mechanism ensures that teams can act swiftly to mitigate risks, which is crucial for meeting the NIS2 directive’s requirement for timely incident response. 

Below is an example of Wazuh configuration to send alerts to multiple email addresses, each one with unique criteria:

<ossec_config>
  <email_alerts>
    <email_to>tester1@test.com</email_to>
    <event_location>alpine38.localdomain</event_location>
  </email_alerts>

  <email_alerts>
    <email_to>securityteam@test.com</email_to>
     <rule_id>506</rule_id>
  </email_alerts>

  <email_alerts>
    <email_to>tester2@test.com</email_to>
    <level>12</level>
  </email_alerts>
</ossec_config>

This configuration sends:

  • An email to tester1@test.com if any alert is triggered on the host alpine38.localdomain.
  • An email to securityteam@test.com if the alerts match the rule with ID 506.
  • An email to tester2@test.com if the alerts have a level equal to or higher than 12.

Explore more Wazuh email alert configuration options to aid NIS2 reporting obligations.

Custom alerting systems

Wazuh integrates with other alerting platforms like Slack, PagerDuty, and more. These integrations enable organizations to set up customized alerting systems to enhance orchestration and automated response. These customizable alerting systems allow organizations to align with their specific security protocols and NIS2 reporting obligations. 

The image below shows alerts displayed on the PagerDuty dashboard from the integration with Wazuh.

PagerDuty dashboard

Conclusion

Wazuh is instrumental in helping organizations meet the technical and organizational requirements of the NIS2 directive. By leveraging the Wazuh SIEM and XDR platform for threat detection,  incident response, and risk management, entities across various sectors can enhance their cybersecurity posture and ensure compliance with NIS2. 

Wazuh is a free open source solution that integrates with third-party technologies. To learn more and deploy Wazuh to start your NIS2 compliance journey, check our Wazuh documentation and join our community.

References