As cyber-attacks keep increasing every year, it has become important to be proactive in protecting your organization’s information systems. This is why using File Integrity Monitoring (FIM) software such as Wazuh can be incredibly beneficial to your business as it allows you to overcome potential security problems.
Table of Contents
- What is File Integrity Monitoring?
- What are the benefits of using File Integrity Monitoring software?
- What is Wazuh?
- Wazuh and File Integrity Monitoring
- How to deploy Wazuh
- What is Wazuh Cloud?
- How to connect your nodes to Wazuh with an agent
What is File Integrity Monitoring (FIM)?
Also known as change monitoring, FIM provides a way to monitor and detect changes in files that may lead hackers to prepare a cyberattack. With File Integrity Monitoring software, you can get answers to the following questions:
- When did the change occur?
- How did it change?
- Who changed it? Was it an unauthorized change?
- What can be done to restore the original files?
What are the Benefits of using File Integrity Monitoring Software?
- Secure IT Infrastructure: Any File Integrity Monitoring tool will alert you for unauthorized changes to your servers, applications, databases, or cloud environment.
- Rootkit and Malware Detection: with FIM in place, you can detect malicious activities done to your infrastructure.
- Remain Compliant: Some companies may need to follow compliance standards depending on the industry of the business. (PCI-DSS, HIPAA, etc.)
What is Wazuh?
Wazuh is an open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance.
Wazuh and File Integrity Monitoring
For many businesses, File Integrity Monitoring is hard to implement as it usually means deploying a noisy monitoring solution that will alert the user for any changes with no context about these changes. But in late 2015, the team behind Wazuh decided to fork the OSSEC project due to the lack of development done to build a more reliable and comprehensive File Integrity Monitoring tool.
Today with over 200 GitHub contributors, Wazuh has not only evolved rapidly but also constantly brings improvements to the solution. Furthermore, Wazuh came out with a migration plan for the people that were using OSSEC and the good news is that you can find more about the extra features you will gain using Wazuh compared to OSSEC here:
How to Deploy Wazuh
The simplest way to deploy this File Integrity Monitoring software is through using their All-in-one deployment method where Wazuh’s server and Elastic Stack will reside on the same host.
If you plan to segment the deployment, you can follow the Distributed method where each component will be installed on a separate host which will provide high availability and scalability in the deployment.
Even better, and this is probably the best way to deploy Wazuh, there are three docker containers available with a docker-compose file that makes the deployment process a breeze:
However, if you have a Kubernetes cluster, you might be interested in this deployment method instead.
As you can see, Wazuh has it all covered with its different deployment methods that will fit within your infrastructure.
What is Wazuh Cloud?
The deployment methods mentioned above are freely available but Wazuh also offers Wazuh Cloud which is their SaaS solution.
If you don’t want to maintain the infrastructure that manages Wazuh, have a professional support plan, OR a team of engineers to check your environment continuously, this is probably the best solution for you.
Wazuh Cloud pricing starts at $500/month. Check out this link below for more pricing information: https://wazuh.com/cloud/#pricing
How to Connect your Nodes to Wazuh with an Agent
For this blog post, we opted for the docker-compose instructions. Whenever the containers are up and running, the Wazuh dashboard becomes accessible at the following URL:
Default credentials: admin/admin
Once you’re logged in, you’ll reach a blank dashboard. This is normal as all data events are collected by the Wazuh agent that pushes it to the Wazuh manager. You will need to deploy an agent on each of the nodes that you want to monitor. In this case, a ‘deploy a new agent’ icon will be available on your dashboard where instructions for a Linux, Windows, or MacOS X node are provided:
The next step is to register the agent to a Wazuh server which can be done in different ways. the documentation for that is available here:
Your dashboard will look like this:
Security Events and Integrity Monitoring
With how sophisticated cyber threats and attacks are, this security events and integrity monitoring dashboard will help you to visually detect any misbehavior and anomalies that could interrupt your nodes.
Essentially, Wazuh scans the entire file system to look for unusual files, permissions, hidden directories, and process IDs (PID) for any discrepancies with different system calls. (getsid, getpgid)
You can also set up the agent to monitor some specific paths/files like a traditional file integrity monitoring solution, read more about it here:
Any findings you might encounter can be exported as a report in .pdf format.
When an event is logged, every 5mn all events are verified with CVE (Common Vulnerabilities and Exposure) databases for any well-known vulnerabilities.
A list of CVE databases that Wazuh pulls from include:
This dashboard helps find any weak spots in your assets so that you can take action before trackers exploit them. Note that by default, a Wazuh agent can block network connections, stop a running process, delete a malicious file, or even block a Python/Bash/PowerShell script depending on certain conditions.
Security Configuration Assessment
Security configuration assessment (SCA) can assess whether you need that particular package, disable unnecessary services, audit the TCP/IP stack configuration, and much more.
SCA runs a scan on your nodes to discover any exposures or misconfiguration that could leave your hosts vulnerable to potential attacks. This is a great feature that will help you to follow recommendations to apply to your infrastructure.
For our clients that need to be HIPAA compliant, this is a great feature that helps us to identify any flaws since all events automatically include compliance information. Other standards that are supported include:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST Special Publication 800-53 (NIST 800-53)
- Good Practice Guide 13 (GPG13)
- Trust Services Criteria (TSC SOC2)
Here’s an example of one of the recommendations you might find:
All agents collect hardware and software information from your servers. This can help you to have a better understanding of packages installed or even network ports that you might have left open:
Container Security Monitoring
You can integrate Wazuh with your Docker host or Kubernetes cluster thanks to its native integration with the Docker engine. Primarily, you can deploy a Wazuh agent to a Kubernetes DaemonSet so the agent gets installed on all your Kubernetes nodes.
Some of the alerts that you can receive when Wazuh is deployed include:
- A Docker image is downloaded or updated
- A container is running in privileged mode
- A new container or Pod is created
- A user runs a command or a shell inside a container
- Vulnerabilities are detected on the Docker host
Monitoring your Cloud Provider
Integration with AWS, Azure, and GCP means Wazuh can work at an API level to record configuration changes such as a new IAM user, security group, or when an EC2 instance has stopped, etc. To learn more about this module, click here.
If you have to manage an on-prem or hybrid infrastructure, Wazuh will definitely help you to stay ahead of any security breaches and identify errors that could leave you exposed to potential attacks. The team behind Wazuh has done a great job at keeping OSSEC up to date with many new features that are valuable to any business looking for a File Integrity Monitoring tool.
You may also be interested in:
More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.
Learn more about our services by booking a free consultation with us today!