By Iyiola Oliyide
Jan 21, 2024
WAZUH home-lab Deployment
Wazuh SIEM & XDR
The average cost of an in-house Security Incident and Event Management (SIEM) solution is upwards of $1 million. Wazuh is free.
With my goal to gain experience reviewing event logs and enforcing security compliance standards, I have set up a full fledge SIEM solution using Wazuh XDR & SIEM
Wazuh offers a robust security monitoring and protection for your IT assets using its Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities. The use case encompasses File Intergrity Monitoring (FIM) which ensures the integrity of your critical files, Security Configuration Assessment (SCA) for verifying that all systems conform to a set of predefined rules regarding configuration settings and approved application usage. I had the opportunity to experience and simulate implementation at a Small Office/Home Office (SOHO) company level.
I was fortunate to get a used HP EliteDesk 800 G1 USDT for this project. To begin, I loaded the Ubuntu 22.04.3 LTS OS on the computer, completed the setup, and proceeded to install the Wazuh package. The package comprises of the Wazuh indexer, Wazuh server, and the dashboard. Each component serves to provide a comprehensive solution for a SIEM system.
After installing the Wazuh on the server PC, I had to type the IP of the machine into a browser, which then presented the dashboard of my SIEM. There is a username and password generated after the install. This is used in accessing the dashboard the first time and can be changed afterwards.
The next steps included installing the agents on my endpoints, which was a simple process after filling the ‘Deploy new agent’ form on the dashboard.
Time spent exploring the tool revealed some interesting features, such as its ability to detect if your agents are in compliance with industry standards and frameworks. Examples include PCI DSS for companies that handle payments using credit & debit cards, HIPAA for companies in the healthcare industry, NIST 800-53 for heightening security of information systems at any organization, and many others.
Another feature is the Security Configuration Assessment (SCA) that compared my configurations to that of the Center for Internet Security (CIS) benchmarks. In addition to detecting areas where changes can be made to improve security, it also offers steps for remediation.
My favorite tool had to be the File Integrity Monitor (FIM), which detected modifications to files, folders, and registry keys in a specified location in real-time!
There’s even the ability to set group policies that are enforceable on endpoints in that group.
Some of the other capabilities noticed were:
- Malware Detection
- Rootkits behavior detection
- Active response scripts
- Log collection
- Vulnerability detection
- Command monitoring
Conclusion
In conclusion, my goal in setting up a robust Security Information an Event Management (SIEM) system using Wazuh XDR & SIEM was both cost-effective and insightful. Exploring Wazuh gave me a feel for how powerful and instrumental a SIEM and XDR tool is in an organization. Simulating it in my home network offered me hands-on experience ensuring compliance with industry standards and frameworks.
The File Integrity Monitor, with its real-time detection of modifications, emerged as a standout feature, complementing an array of capabilities including malware detection, rootkit behavior detection, active response scripts, log collection, vulnerability detection, and command monitoring. The user-friendly interface, coupled with the cost efficiency and diverse functionalities, positions Wazuh as a valuable asset in the realm of cybersecurity.
