1. Abstract
In today's rapidly evolving cybersecurity landscape, organizations face an ever-expanding array of threats that demand proactive security measures. To safeguard their digital assets, businesses must adopt security solutions that provide visibility, detection, and response capabilities across their entire infrastructure. Wazuh, an open source security platform, empowers organizations to strengthen their security posture by delivering real-time threat detection, log analysis, vulnerability assessment, file integrity monitoring, malware detection, and incident response. This white paper explores the capabilities and practical use cases of Wazuh, demonstrating how it is a free, scalable, and versatile solution for organizations of all sizes. Whether securing on-premises, cloud, or hybrid environments, Wazuh provides the capabilities required to stay ahead of emerging threats while maintaining compliance with industry standards.
2. Introduction
Modern enterprise networks span diverse environments, including traditional on-premises infrastructure, cloud-based systems, and Operational Technology (OT) environments. Each environment has unique protocols, tools, and vulnerabilities that require oversight to protect assets. Careful monitoring of assets helps to promptly detect threats and ensure compliance. To effectively manage and analyze security threats, security teams must establish a unified view of diverse security data.
Wazuh is a security platform that protects digital assets from security threats by unifying Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities. Developed as an open source project, Wazuh continually evolves through contributions from a proactive team and a vibrant community of users. Wazuh gives organizations centralized visibility into their environments by collecting, parsing, and normalizing security events and log data. It offers a wide range of capabilities and use cases that cater to the diverse needs of modern organizations.
3. Architecture
The Wazuh platform comprises a multiplatform Wazuh agent and the Wazuh central components; server, indexer, and dashboard.
3.1 Wazuh agent
The Wazuh agent is a lightweight, multi-platform program that is deployed on endpoints such as servers, workstations, and cloud instances. It supports operating systems like Linux, Windows, and macOS. The Wazuh agent collects log data from various sources, including operating system logs, application logs, and system calls, and forwards this information to the Wazuh server for analysis. This analysis extracts key information from the logs to identify potential security incidents, malicious activities, and vulnerabilities within the monitored environment. Additionally, it gathers system inventory data such as operating system information, installed software details, network interfaces, ports, and running processes to provide visibility into the configuration of the endpoint. The Wazuh agent also plays a role in executing automated incident response actions when necessary. Furthermore, it supports Security Configuration Assessment (SCA) scans to identify and address security misconfigurations.
3.2 Wazuh server
The Wazuh server component collects and analyzes security data from monitored endpoints. It collects log data from the Wazuh agents, remote syslog, external APIs, and cloud platforms. The Wazuh server includes several built-in decoders and rules to analyze diverse log sources and trigger alerts when security threats are detected. The analyzed data is forwarded to the Wauh indexer by Filebeat for efficient search, storage, and indexing. Additionally, it offers users the flexibility to customize rules and define tailored response actions. The Wazuh server can be deployed as a single-node or multi-node cluster depending on the amount of data processed and redundancy requirements.
3.3 Wazuh indexer
The Wazuh indexer component of the Wazuh platform stores, indexes, and manages security data collected from monitored endpoints. When the Wazuh server analyses security events from Wazuh agents, it forwards the analyzed data to the Wazuh indexer. The Wazuh indexer stores the analyzed data as JSON documents and related documents are grouped into indexes for efficient organization and retrieval. The Wazuh indexer is ideal for time-sensitive tasks like security monitoring due to its near real-time search capabilities, with documents becoming searchable in as little as one second. This indexed data is also forwarded to the Wazuh dashboard for user-friendly visualization and management. The Wazuh Indexer supports single-node or multi-node deployments based on data volume and redundancy needs.
3.4 Wazuh dashboard
The Wazuh Dashboard is a user-friendly web interface that visualizes and analyzes security data stored in the Wazuh Indexer. The Wazuh server forwards analyzed data to the Wazuh indexer for storage and indexing. The Wazuh dashboard connects to the Wazuh indexer to retrieve and display the indexed data, providing real-time monitoring, interactive visualizations, alerts, and reports. This allows users to investigate incidents, maintain compliance, and manage their Wazuh deployment.
4. Use cases
The Wazuh platform helps organizations and individuals safeguard their data assets through threat prevention, detection, and response. Below are some of the most common use cases of the Wazuh platform.
4.1. Configuration assessment
Configuration assessment evaluates system settings, configurations, and security policies to ensure they align with industry best practices, compliance standards, and organizational security requirements. This helps identify misconfigurations and vulnerabilities that pose security risks. The Wazuh Security Configuration Assessment (SCA) module enables organizations to maintain compliance by continuously scanning endpoints for misconfigurations and alerting administrators whenever non-compliance is detected. The security team leverages these alerts to remediate issues, ensure compliance, and strengthen security posture.
4.2. Malware detection
Malware detection involves identifying and mitigating malicious software, commonly known as malware on monitored endpoints. Wazuh monitors files, system and application logs, system calls, Windows Registry, and other security-related events for potential malicious activities. It integrates with threat intelligence services to identify known malware signatures and utilizes anomaly detection to detect deviations from normal system behavior. This approach helps organizations to proactively detect and mitigate malware threats, enhancing their overall security posture.
4.3. File integrity monitoring
File Integrity Monitoring (FIM) tracks changes to files and directories, alerting when files are added, modified, or deleted. Wazuh continuously monitors files, directories, and Windows Registry, actively tracking changes and access to sensitive data. It generates real-time alerts when unauthorized changes are detected on monitored endpoints, enabling security teams to investigate and respond quickly. By ensuring data integrity and compliance with security standards such as HIPAA, PCI-DSS, and NIST 800-53, Wazuh FIM helps organizations protect critical assets.
4.4 Threat hunting
Threat hunting is a proactive practice that involves analyzing data sources like logs, network traffic, and endpoint data to identify and eliminate threats that may evade security monitoring tools. Wazuh empowers security teams to perform in-depth investigations using rules, decoders, and log analysis to detect malicious activities across various data sources. The decoders extract key information from raw logs, while rules define detection patterns for potential threats. Security analysts can query the Wazuh archives to investigate historical data and identify attack patterns over time. The platform also integrates with the MITRE ATT&CK framework, mapping detected events to known adversary tactics and techniques to facilitate threat hunting. Additionally, Wazuh supports the use of third-party integrations to enhance detection capabilities and correlate security events with other threat intelligence feeds and security tools.
4.5 Log data analysis
Wazuh collects and analyzes logs from various sources, including endpoints, applications, cloud services, and network devices. It normalizes and enriches log data to provide meaningful insights into security events. Wazuh uses predefined and custom rules and decoders that process logs in real-time to identify security incidents, anomalies, and potential threats. Wazuh indexes the alerts generated from these logs, allowing security teams to perform fast and effective queries for investigating security incidents. It offers an intuitive dashboard that allows security analysts to explore real-time log entries and perform complex searches that offer valuable insights.
4.6. Vulnerability detection
Wazuh agents gather data on installed applications from monitored endpoints and periodically send them to the Wazuh server. The Wazuh Vulnerability Detection module correlates this software inventory with vulnerability data from the Wazuh Cyber Threat Intelligence (CTI) platform to identify vulnerable software. The Wazuh CTI platform aggregates vulnerability data from diverse sources, including OS vendors and vulnerability databases, and standardizes it into the CVE JSON 5 format, creating a unified and reliable repository. The Wazuh vulnerability detection capability provides visibility into the vulnerabilities of your infrastructure. It provides actionable insights, enables you to track remediation efforts, and generates reports.
4.7. Incident response
Incident response refers to the strategies and procedures that organizations implement to respond to threats identified within their infrastructure. The primary goal is to reduce the impact of cyberattacks on critical assets and business operations. Wazuh enables security teams to detect, analyze, and respond to security incidents. Users can configure Wazuh to automatically initiate appropriate actions in response to detected security incidents. These actions may include deleting malicious files, blocking suspicious network connections, isolating compromised endpoints, or disabling compromised user accounts. By automating these incident response actions, organizations can significantly reduce their Mean Time to Respond (MTTR), thereby minimizing the potential damage caused by security breaches.
4.8. Regulatory compliance
Wazuh provides various security capabilities to streamline compliance activities. This includes log collection and analysis, file integrity monitoring, configuration assessment, vulnerability detection, intrusion detection, real-time alerting, and active response. The default Wazuh ruleset supports PCI DSS, HIPAA, GDPR, NIST 800-53, and TSC frameworks. Organizations can also add their own rules and policies to simplify compliance implementation and reduce the risk of security incidents. Additionally, Wazuh allows organizations to generate compliance reports that help them assess their adherence to these standards. These reports can be customized to include specific data elements, fields, or criteria, ensuring tailored compliance visibility.
4.9. IT hygiene
Wazuh assists with IT hygiene by using the Syscollector module to collect inventory data from monitored endpoints. Security teams can use this information to detect potentially unwanted applications (PUA), suspicious processes and services, and other malicious artifacts. The Wazuh SCA module helps with IT hygiene by minimizing the attack surface through scanning and detecting security misconfigurations on monitored endpoints. Furthermore, Wazuh offers other capabilities like vulnerability and threat detection that contribute to the overall hygiene of the IT infrastructure.
4.10. Container security
Container security is the practice of protecting containerized applications and their underlying infrastructure from security threats. Wazuh integrates with container orchestration platforms such as Docker and Kubernetes to monitor runtime events, application logs, and the overall health of containers. Its security mechanisms rely on predefined and custom rules to identify irregularities or security threats within the container environment. This enables prompt identification of vulnerabilities and security incidents in container deployments.
4.11. Cloud workload protection
Cloud workload protection involves continuous assessment and protection of cloud-based resources from security threats. Wazuh enhances cloud security across AWS, Azure, and GCP by analyzing logs, detecting threats, and ensuring compliance with security best practices and regulations. It assesses configurations, access controls, and cloud activity in real-time to help organizations maintain the integrity and security of their cloud infrastructure. By providing unified visibility and enforcing security policies consistently across on-premises and cloud environments, Wazuh strengthens overall cloud security.
5. Features
5.1. Open source and community-driven
The Wazuh open source model promotes transparency and collaboration. It benefits from a vibrant community of users and contributors, resulting in regular updates, bug fixes, and new features. This model eliminates licensing costs and minimizes the risks of supply chain attacks by allowing anyone to inspect the source code for vulnerabilities.
5.2. Scalability
Wazuh is highly scalable and adaptable to various environments, making it suitable for small-scale deployments and large, complex infrastructures. It achieves this scalability through clustering, which distributes log processing demands across multiple nodes of the Wazuh server and Wazuh indexer. This ensures efficient performance in environments with a large number of monitored endpoints and allows organizations to tailor Wazuh to their specific needs.
5.3. Third-party Integrations
Wazuh supports integrations with several security tools and platforms, making detecting and responding to security threats more robust. It can integrate with popular SIEM solutions, log management systems, and threat intelligence feeds. Furthermore, its extensible architecture allows organizations to develop custom modules and rules to suit their specific requirements.
5.4. Unified security protection
Wazuh is a cross-platform security solution that provides capabilities like security monitoring, malware detection, incident response, and compliance management across diverse environments. It supports a wide range of operating systems, containerized environments, and cloud platforms like AWS, Azure, and Google Cloud. This enables organizations to protect their infrastructure across on-premises, cloud, and hybrid environments.
5.5. Licensing
Wazuh is distributed under the GNU General Public License v2 (GPLv2), making it free to use, modify, and distribute. This licensing model eliminates licensing costs and allows organizations to customize the solution to their needs.
Conclusion
Wazuh is a free, open source SIEM and XDR platform that helps organizations strengthen security. Its flexibility, scalability, and cost-effectiveness make it suitable for businesses of all sizes and industries. Organizations using Wazuh can improve security, detect and respond to threats in real-time, and maintain regulatory compliance.