How Wazuh is a Vendor Agnostic XDR

Every business today, whether big or small have compliance requirements. One of these requirements includes a proper cybersecurity infrastructure in place comprising various tools to monitor against threats and ensure that the relevant company data and environment are sufficiently protected. At the core of this cybersecurity, the tool is a database or a data repository in place which allows for effective correlation and communication between these tools. Such solutions are known as Security Information and Event Management, or SIEM for short. Extending the capabilities of SIEMS, XDR or Extended Detection and Response is another cybersecurity approach which improves on SIEMS by providing cohesive real-time responses to cyber threats across multiple endpoints. This enables an organization to have an infrastructure in place which is ready to identify, alert, and neutralize threats across the whole network in real-time.

Well-established organizations have been known to use commercial XDR solutions such as Cisco, Splunk, Cortex XDR, etc. However, such commercial solutions are costly and require a significant budget allocation which for small businesses is not suitable. Wazuh, an open-source and free XDR security platform has recently evolved into a much more comprehensive solution. In this article, we’ll take a brief look at what Wazuh is, and how it has a vendor agnostic approach to being an XDR platform.

What is XDR?

XDR (Extended Detection Response) as defined by Forrester Research is “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity, and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”

XDR is a consolidation of tools that evolves the traditional endpoint detection and response (EDR) or network traffic analysis (NTA) into a much more sophisticated solution offering extended real-time visibility, analysis, and response beyond endpoint to multiple security control points (including email, networks, server, and cloud) to detect threats and take action much quicker using the data collected across various domains.

Why do enterprises need XDR security?

As the data held by organizations is starting to expand and spans multiple endpoints, effective endpoint protection is a must. While traditional point security solutions such as EDR combined with security incident and event management (SIEM) are still relevant, they typically generate a high volume of alerts, take longer to investigate and respond to events, and require more maintenance and management. In contrast, XDR offers various benefits:

Advanced Prevention Measures — Continuous threat monitoring and automated response allow for almost instantaneous threat prevention. The inclusion of other advanced approaches such as threat intelligence and adaptive machine learning algorithms can also help to ensure that the organization is protected against the greatest variety of attacks.

Granular visibility — XDR collects and provides visibility to each activity across each security tool including detections, telemetry, metadata, and Netflow. Robust analysis of such data allows an organization to effectively trace an attack path and strengthen defences.

Improved Productivity — Since XDR is a unified and complete security platform (instead of multiple EDRs and SIEM combinations) it greatly improves the productivity of the security team by being much easier to maintain and implement and getting rid of possible conflicts that might arise when running various tools.

What is Wazuh?

While there are some exceptional options to choose from when deciding which XDR product to go with, most are just out of reach for some enterprises. But with the contribution of the open source community, a totally free and open source XDR solution called Wazuh. Wazuh was founded by a team of five people as a fork of the OSSEC project in 2015, which at the time had come to a halt. Currently, it is managed by Santiago Bassett and in less than one year, they offered their approach to several companies, among them a Fortune 10 IT firm. It’s now widely used by thousands of organizations worldwide, from small businesses to large enterprises.

Wazuh is more of a unified XDR and SIEM protection rather than a pure XDR solution, further increasing the capabilities of the product. Wazuh helps organizations and individuals to protect their data assets against security threats by protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.

Figure 1: Wazuh components and data flow

XDR capabilities of Wazuh

Wazuh offers all of the XDR capabilities in one unified security platform. Some of its major XDR features include:

1. Endpoint Security:

• Configuration Assessment — Wazuh keeps close track of system and application configuration to access possible policy conflicts or compliance. The Wazuh agent offers automatic or customized periodic scanning of troublesome applications and possible solutions in how to configure them better, tailored to each organization’s need.
• File Integrity Monitoring — File integrity monitoring capabilities of Wazuh include monitoring files for identifying changes in content, ownerships, read-write permissions, and various other attributes to provide clear visibility of system files. It can be used in combination with threat intelligence to identify possible threats or compromised hosts in an organization.

2. Security Operations:

• Log Data Analysis — Wazuh agents keep a complete record of system and application records and provide real-time analysis after forwarding them to a central management system. It keeps an organization fully aware of system errors, warnings, misconfigurations, malicious activities, or any other related issue.

Figure 2: Security Logs Analysis

Vulnerability Detection — Continuous communication with servers linked to up-to-date CVE (Common Vulnerabilities and Exposure) databases allows Wazuh to provide real-time protection against well-known vulnerabilities. Agents routinely pull data from each software and provide automated vulnerability assessments to allow corrective measures to be taken as soon as possible before the loss or sabotage of valuable business data.

Figure 3: Vulnerabilities Dashboard

• Incident Response — Wazuh is built-in with countermeasures to protect against various malware. It also allows users to remotely run commands, query the system, or perform incident response tasks.

Figure 4: Mitre Attack Framework

• Regulatory Compliance — Wazuh provides a lot of security controls for an organization to become compliant with recent industry standards. For example, Wazuh is widely used by financial companies to meet PCI DSS (Payment Card Industry Data Security Standard) requirements.

3. Cloud Security:

• Cloud Security — Wazuh’s lightweight agents help monitor cloud infrastructure at an API level, pulling data directly from cloud providers such as Amazon AWS for easy assessment.
• Containers Security — Wazuh continuously collects and analyzes detailed runtime information by native integration with the Docker engine. This allows for easy monitoring of hosts and containers, their behaviours, vulnerabilities, or anomalies.

Vendor Agnostic approach of Wazuh

One possible limitation of XDR is that it’s vendor specific. While for most organizations running a homogeneous cybersecurity infrastructure, a native XDR product could be sufficient. But a single native XDR vendor will not be nearly capable of providing protection against all attack vectors. This is where Wazuh really shines with its open source infrastructure, allowing organizations to have several vendors deployed over their IT and security environment.

Larger enterprises usually have a cybersecurity infrastructure that is sophisticated and makes use of the finest security technologies from various vendors, in order to have the best possible protection for its resources.

Wazuh’s vendor agnostic approach allows organizations to deploy tools best tailored to their needs instead of forcing them to stick with technologies native to their XDR. Let’s take a short look at how Wazuh achieves this:

Open source

Wazuh started as a fork of the OSSEC project. As opposed to native XDR solutions requiring an organization to completely get rid of their previous tools, firewalls and compliance systems and switch to a vendor-specific set of technologies, Wazuh can easily be made to fit with existing infrastructure, saving time and costs.

External API integration

Wazuh can easily be integrated with external APIs by using the integrator. The integrator daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, and VirusTotal. This is achieved by integrating the alert system with the APIs of the software products through scripts. The possibilities are endless with custom APIs, and the seamless integration of Wazuh with external software allows for centralized alerts and responses to threats.

Documentation

Wazuh provides a complete and comprehensive set of documentation available online to every user. Given the great adaptability of Wazuh, the possibilities offered are extensive. The documentation provides a progressive set of hands-on experiences to users for accelerating their progress in becoming proficient with integrating Wazuh with their custom security architecture regardless of vendors.

Figure 5: Wazuh Website Documentation

Benefits of a vendor agnostic XDR like Wazuh

High-quality, general-purpose security infrastructure software, and technologies are available widely in today’s digital market. It’s essential for organizations to have the ability to access the right solutions, at the right time without being limited to using technologies provided by a single vendor. Following are a few of the major benefits of having a vendor agnostic XDR such as Wazuh:

Superior Protection

By placing Wazuh at the top of its security stack to centralize its threat detection, response, and investigation requirements, organizations can streamline and extend their current toolset for greater value and performance. Security teams can also add new tools and mix and match vendor tools to their respective benefits. No single vendor can provide comprehensive security coverage for all vectors and might not excel in areas outside of their primary focus.

Preventing Vendor lock-in

Vendor lock-in occurs when a customer becomes dependent on one vendor for a product or service and cannot use another vendor without significant switching costs or inconvenience. Organizations may need to give up their preferred set of tools that better fit their needs and settle with options provided by one specific vendor. This can significantly bottleneck the security potential of an organization. By choosing Wazuh, users are no longer limited to using a specified set of technologies provided by their vendor.

Scalability

As new technology is introduced, it becomes easier to scale your existing security infrastructure. The nature of Wazuh allows for new security tools and technologies to be seamlessly incorporated and integrated into the existing cybersecurity infrastructure.

Better use of Resources

Wazuh simplifies the vendor management process, saving time and money. Aside from saving licensing fees, the operational costs are less as well. A centralized control plane also increases the productivity of the security team, while they spend less time worrying about managing and monitoring each individual tool.

Community and Support

Wazuh has one of the most technologically diverse and fastest growing open source communities in the world. It allows users to participate in discussions, ask troubleshooting questions, and search for answers and solutions offered by other users. The community also accepts contributions to the platform. Users can contribute by making pull requests, submitting issues, or sending commits. This level of support is rarely found on other native XDR products.

Conclusion

Wazuh’s market-leading threat protection combines records from multiple security applications and uses threat intelligence to find complex threats missed by other tools. As the cybersecurity landscape continues to grow and mature, new and advanced solutions from multiple vendors will continue to emerge. An effective security strategy would devise a cybersecurity infrastructure that would make it easier to expand by the integration of these tools. While it is certainly possible to get away with other solutions, Wazuh’s combined vendor agnostic XDR and SIEM approach seems to be the best future-proof solution that an organization, whether big or small can implement today.