Wazuh : Security Information and Event Management (SIEM) for Small and Medium-Sized Enterprises

1. Introduction

This Chapter begins with the introduction of security challenges faced by Small and Medium Enterprises (SME’s) while building their IT infrastructure and why its necessary to deploy a Security Information and Event Management (SIEM) tool.

1.1 Security Issues faced by Small and Medium Sized Enterprises

As reported by leading global information services organisations like Experian, there is a year-on-year increase in the number of crafty data breaches. SME’s face bigger challenges with the constraints that come with their smaller size — limited finances, weaker planning, lesser operational control, inadequate staff training and slower deployment of information systems. A prolonged lack of resources puts these organisations in an even more vulnerable position since its highly problematic to detect them beforehand let alone prepare for these attacks. This is the principal reason that renders SMEs’ the primary target for cyber attackers. Therefore, it is essential that they learn how to plan, respond and recover in event of security breaches.

1.2 Security Information and Event Management (SIEM) tool for SMEs

SIEM is a security system that comprises complex technologies that function together to provide a centralised understanding of an infrastructure, covering all its bases. SIEM solutions are systems capable of gathering information from network and security devices, identifying and evaluating security events in real-time including long-term log storage, trend analysis and historical reporting. SIEM is a combination of two technologies, namely, SIM (Security Information Management) and SEM (Security Event Management). The former area provides long standing storage, reporting and evaluation of log data. The latter area provides real-time checking, correlation of events, console views and reports. For setting up a SIEM system, both can be merged in a suitable way to the organisation.

1.3 State of Problem

There are several cybersecurity issues faced by small and medium sized enterprises presently. Due to limited resources, these organisations become prey to cyber-attacks, internal and external. The lack of research in this area in addition to a serious lack of technical knowledge and know-how makes it almost impossible for them to effectively prepare for and tackle any incidents. Due to this reason, SMEs are increasingly becoming the prime target for phishing/spear phishing, DDOS attacks, malware attacks, SQL injection and other such cyber-attacks. These crimes can cause serious damage to a relatively new organisation’s reputation and incur the loss of assets, employees and capital. To make the situation worse, in the event of a security breach, legal actions can also be undertaken resulting in a fine up to the amount as large as 4 percent of the annual turnover. Small businesses conduct regular in-house audits requiring extra personnel to prevent this from happening to burn a hole in their pockets.

1.4 Defining the Aim and Objectives

1.1.1 Aim of Research

1.5 Structure of the report

The first chapter introduces the reader to issues and challenges faced by SMEs in context of cybersecurity followed by an overview of the proposed solution, SIEM technology. It sets out the aims and objectives this report hopes to accomplish.

2. Literature Review

This chapter begins with a detailed account of process that was followed while choosing relevant data and research for the purpose of this report. Followed by a re-evaluation of prevalent studies that are mainly about Information security issues, current scenario in SMEs, design and implementation of SIEM (Gartner Inc. 2012) tools specific to SMEs. Finally it will give us an understanding of how useful the research can be for further development.

2.1 Methodology of Literature Review

This literature review follows Okoli and Schabram’s (2010) guidelines, which proposes an 8 step academically thorough, organized, and reiterative literature review procedure. The literature pursuit began with a broad goal in mind: to find some articles or academic papers linked to SIEMs. The Lulea University Library, Google Scholar and ProQuest are only a few examples of helpful resources.

2.2 Prevailing Research: Understanding and Analysis

The research from the chosen papers/articles that has been talked about in this chapter are mainly centred around three topics, information security challenges faced by organisations around the world, design and implementation of a SIEM tool, different models suggested as solutions to overcome the challenges faced by SMEs. These have mostly been published or written in the years 2004 through 2018.

3. Research Design

This section lays out the methodology, procedure and the rationale behind selecting the specific approach used to carry out this research project.

5. Technical details and artefact development

What is Wazuh?

Phase 1 — Installation

Installing Wazuh and the server agent on Windows OS, configuring Virtual machine

Phase 2 — Sample Log collection

We collected the logs from our Windows 10 endpoint. After few minutes we can see in the below screenshot that the data starts to flow in and all the data is automatically parsed and the bar graph is generated.

6. Testing and Evaluation

a) Rule 1 : Firewall Alert Trigger

7. Conclusion

The implication of this project’s findings for security practitioners and SMEs are presented in this section. The chapter closes with briefly discussed limitations of the study and improvements for potential SIEM and SME related research and practice It’s difficult to see how the situation for SMEs can improve without further drastic improvements to the methods available to them, given the recognised limitations in terms of expertise, knowledge, and budget.

8. References

1. O. Podzins and A. Romanovs, “Why SIEM is Irreplaceable in a Secure IT Environment?,” 2019 Open Conference of Electrical, Electronic and Information Sciences (eStream), Vilnius, Lithuania, 2019, pp. 1–5, doi: 10.1109/eStream.2019.8732173.

--

--

CTIA | Love cybersecurity, completed MSc in Applied Cyber Security from Queen’s University Belfast. Twitter : @AroraVarul

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Varul Arora

Varul Arora

CTIA | Love cybersecurity, completed MSc in Applied Cyber Security from Queen’s University Belfast. Twitter : @AroraVarul