SlideShare a Scribd company logo

Wazuh Security Platform

Download as PPTX, PDF
Pituphong Yavirach
Pituphong Yavirach

The document provides an overview of the Wazuh open source host-based intrusion detection system (HIDS). It describes how Wazuh uses agents installed on endpoints that collect and transmit security data to a central server for analysis. The server analyzes the data, triggers alerts for threats or anomalies, and stores the information in Elasticsearch for visualization and exploration through the Wazuh dashboard user interface. Key components of the Wazuh architecture include the agents, server, indexer cluster for data storage, and dashboard for monitoring, analysis and management.

Related slideshows

An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
1 of 32
Pituphong Yavirach, CPTE Founder – Debug Consulting Deployment (HIDS)
Introduction 01 Installation 02 Agenda Deployment Wazuh Agent 03 Configuration 04 Function Test 05 Conslution 06
Introduction
• A Host-Based Intrusion Detection System (HIDS) • HIDS collects, analyzes and pre-correlates a client's logs and alerts if an attack, fraudulent use (policy) or detected error. • It verifies the integrity of local system files, the detection of rootkits, identifies hidden actions of attackers; Trojan horses, Malware, etc. • HIDS leads to real-time alerts and active response • HIDS easily integrates with SIEMs • Centralized policy deployment is performed for all agents HIDS to monitor server compliance. HIDS – Host Based Intrusion Detection System Ref. Anglia Ruskin University, OWASP Cambridge Chapter image ref. https://www.decipherzone.com/blog-detail/web-application-architecture
• OSSEC is open source HIDS. • Its purpose is to detect abnormal behavior on a machine. • It collects the information sent to it by the equipment, it uses signatures or behavior to detect an anomaly. • An OSSEC agent is installed on each machine. OSSEC Ref. Anglia Ruskin University, OWASP Cambridge Chapter
OSSEC Ref. Anglia Ruskin University, OWASP Cambridge Chapter
WAZUH Ref. Anglia Ruskin University, OWASP Cambridge Chapter • Wazuh is a open source platform for detecting intrusion detection, security monitoring, incident response and compliance check. • He joins OSSEC • It can be used to monitor endpoints, services cloud and containers, and to aggregate and analyze data from external sources
• The Wazuh solution consists of an endpoint security agent, deployed on the monitored systems, and a management server, which collects and analyzes the data collected by the agents. • Additionally, Wazuh has been fully integrated with ElasticStack, providing a search engine and a visualization tool for data that allows users to navigate their alerts of security. WAZUH
• A brief overview of some of the most popular use cases currents of the Wazuh solution. WAZUH Abilities Log analysis File Integrity monitoring Rootkit detection Active response Configuration Assessment System inventory Vulnerability detection Cloud security Container security Regulatory conformity
• The Wazuh architecture is based on agents, executed on the monitored terminals, which transmit security data to a central server. • Agentless devices such as firewalls, switches, routers and access points are supported and can actively submit log data via Syslog, SSH or using their API. • The central server decodes and analyzes incoming information and forwards the results to the Wazuh indexer for indexing and storage. • The Wazuh indexer cluster is a set of one or more nodes that communicate with each other to perform operations reading and writing indexes WAZUH Architecture
WAZUH Architecture
WAZUH Component
• The Wazuh indexer is a text search and analysis engine highly scalable integral. • Wazuh indexer stores data as documents JSON. Each document correlates a set of keys, names of fields or properties, with their values corresponding • An index is a collection of documents related to each other. • Wazuh uses four different indexes to store different types of events: wazuh - alerts, wazuh - archives, wazuh - monitoring, wazuh - statistics WAZUH Indexer Ref. Anglia Ruskin University, OWASP Cambridge Chapter
WAZUH Indexer
• The Wazuh server component analyzes the received data agents, triggering alerts when threats or abnormalities are detected. • It is also used to manage the configuration of agents at distance and monitor their status. • The Wazuh server uses sources of information about the threats to improve its detection capabilities. • It also enriches alert data using the MITER framework ATT&CK and regulatory compliance requirements such as PCI DSS, GDPR, HIPAA, CIS and NIST 800-53 providing context useful for security analysis. WAZUH Server
WAZUH Server
• The Wazuh dashboard is a flexible web-based user interface and intuitive for exploring, analyzing and visualizing security events and alert data. • It is also used for platform management and monitoring Wazuh. • Additionally, it provides access control functionality based on Roles (RBAC), Single Sign-On (SSO), Viewing and data analysis, agent monitoring and configuration, Platform Management, Developer Tools WAZUH Dashboard
WAZUH Data visualization and analysis
WAZUH Data visualization and analysis
WAZUH Data visualization and analysis
WAZUH Data visualization and analysis
WAZUH Agent Monitoring
WAZUH Platform Management
WAZHU Status and Reports
WAZUH Ruleset test
WAZUH API Console
WAZUH Security rules
• The Wazuh agent is cross-platform and runs on the hosts that the user wants to monitor. • It is also used for platform management and monitoring Wazuh. • The Wazuh Agent provides key functionality to improve the security of your system WAZUH Agent Log collector Command execution File integrity monitoring (FIM) Security configuration assessment (SCA) System inventory Malware detection Active response Container security monitoring Cloud security monitoring
WAZUH Agent
Wazuh Security Platform
Questions?
THANK YOU

More Related Content

Wazuh Security Platform

  • 1. Pituphong Yavirach, CPTE Founder – Debug Consulting Deployment (HIDS)
  • 4. • A Host-Based Intrusion Detection System (HIDS) • HIDS collects, analyzes and pre-correlates a client's logs and alerts if an attack, fraudulent use (policy) or detected error. • It verifies the integrity of local system files, the detection of rootkits, identifies hidden actions of attackers; Trojan horses, Malware, etc. • HIDS leads to real-time alerts and active response • HIDS easily integrates with SIEMs • Centralized policy deployment is performed for all agents HIDS to monitor server compliance. HIDS – Host Based Intrusion Detection System Ref. Anglia Ruskin University, OWASP Cambridge Chapter image ref. https://www.decipherzone.com/blog-detail/web-application-architecture
  • 5. • OSSEC is open source HIDS. • Its purpose is to detect abnormal behavior on a machine. • It collects the information sent to it by the equipment, it uses signatures or behavior to detect an anomaly. • An OSSEC agent is installed on each machine. OSSEC Ref. Anglia Ruskin University, OWASP Cambridge Chapter
  • 6. OSSEC Ref. Anglia Ruskin University, OWASP Cambridge Chapter
  • 7. WAZUH Ref. Anglia Ruskin University, OWASP Cambridge Chapter • Wazuh is a open source platform for detecting intrusion detection, security monitoring, incident response and compliance check. • He joins OSSEC • It can be used to monitor endpoints, services cloud and containers, and to aggregate and analyze data from external sources
  • 8. • The Wazuh solution consists of an endpoint security agent, deployed on the monitored systems, and a management server, which collects and analyzes the data collected by the agents. • Additionally, Wazuh has been fully integrated with ElasticStack, providing a search engine and a visualization tool for data that allows users to navigate their alerts of security. WAZUH
  • 9. • A brief overview of some of the most popular use cases currents of the Wazuh solution. WAZUH Abilities Log analysis File Integrity monitoring Rootkit detection Active response Configuration Assessment System inventory Vulnerability detection Cloud security Container security Regulatory conformity
  • 10. • The Wazuh architecture is based on agents, executed on the monitored terminals, which transmit security data to a central server. • Agentless devices such as firewalls, switches, routers and access points are supported and can actively submit log data via Syslog, SSH or using their API. • The central server decodes and analyzes incoming information and forwards the results to the Wazuh indexer for indexing and storage. • The Wazuh indexer cluster is a set of one or more nodes that communicate with each other to perform operations reading and writing indexes WAZUH Architecture
  • 13. • The Wazuh indexer is a text search and analysis engine highly scalable integral. • Wazuh indexer stores data as documents JSON. Each document correlates a set of keys, names of fields or properties, with their values corresponding • An index is a collection of documents related to each other. • Wazuh uses four different indexes to store different types of events: wazuh - alerts, wazuh - archives, wazuh - monitoring, wazuh - statistics WAZUH Indexer Ref. Anglia Ruskin University, OWASP Cambridge Chapter
  • 15. • The Wazuh server component analyzes the received data agents, triggering alerts when threats or abnormalities are detected. • It is also used to manage the configuration of agents at distance and monitor their status. • The Wazuh server uses sources of information about the threats to improve its detection capabilities. • It also enriches alert data using the MITER framework ATT&CK and regulatory compliance requirements such as PCI DSS, GDPR, HIPAA, CIS and NIST 800-53 providing context useful for security analysis. WAZUH Server
  • 17. • The Wazuh dashboard is a flexible web-based user interface and intuitive for exploring, analyzing and visualizing security events and alert data. • It is also used for platform management and monitoring Wazuh. • Additionally, it provides access control functionality based on Roles (RBAC), Single Sign-On (SSO), Viewing and data analysis, agent monitoring and configuration, Platform Management, Developer Tools WAZUH Dashboard
  • 18. WAZUH Data visualization and analysis
  • 19. WAZUH Data visualization and analysis
  • 20. WAZUH Data visualization and analysis
  • 21. WAZUH Data visualization and analysis
  • 24. WAZHU Status and Reports
  • 28. • The Wazuh agent is cross-platform and runs on the hosts that the user wants to monitor. • It is also used for platform management and monitoring Wazuh. • The Wazuh Agent provides key functionality to improve the security of your system WAZUH Agent Log collector Command execution File integrity monitoring (FIM) Security configuration assessment (SCA) System inventory Malware detection Active response Container security monitoring Cloud security monitoring