Vulnerability management with Wazuh open source XDR

Organizations have a hard time keeping track of vulnerabilities due to the large number of these that are discovered daily. From January to October 2022, over 19,000 vulnerabilities have been discovered, according to CVE Details. These vulnerabilities are disclosed in a publicly known list called the Common Vulnerabilities and Exposures (CVE).   

A vulnerability is a weakness, bug, or flaw in a system that makes it open to exploitation by threat actors. Some notable vulnerabilities include Log4Shell, Follina, and Spring4Shell.

Threat actors make use of exploits to compromise vulnerable endpoints. Exploits are commands, software, or scripts that leverage vulnerabilities to breach an endpoint and compromise the confidentiality, integrity, or availability of data. In the case of Follina, a Remote Code Execution (RCE) vulnerability, a successful exploit grants complete computer control to the attacker. 

Due to the ever-increasing vulnerabilities and the risks they pose to organizations, it is necessary to implement a vulnerability management system. 

Need for vulnerability management

Vulnerability management involves identifying, classifying, remediating, and mitigating vulnerabilities. Vulnerability management solutions proactively scan devices in a network and identify weaknesses in them. They also categorize these vulnerabilities based on severity and provide remediation steps. These remediation steps can range from software updates to changing default passwords and configuration. Thereby preventing security breaches that can occur if these vulnerabilities get exploited. There are several advantages of having a vulnerability management system. These include:

  • Identifying and patching vulnerabilities. A vulnerability management program allows organizations to know the vulnerabilities they are exposed to. With this, adequate plans can be created to patch the vulnerabilities before threat actors exploit them. 
  • Improving security posture: Vulnerable components increase the attack surface of an organization's infrastructure. Therefore, it is important to identify and mitigate vulnerabilities to improve the organization's security posture.
  • Compliance with regulatory requirements: A vulnerability management program is essential for compliance with regulatory requirements such as PCI DSS, HIPAA, or GDPR. It also allows the organization to provide reports needed during a security audit.
  • Risk assessment: A vulnerability management program will allow you to prioritize vulnerabilities based on risk factors. For example, more resources can be assigned to remediate an easily exploited vulnerability that leads to a ransomware incident.

How Wazuh can help

Wazuh is a free and open source unified XDR and SIEM platform. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

The Wazuh platform uses a server/agent model: 

  • Wazuh central components consist of the Wazuh server, Wazuh indexer, and Wazuh dashboard. These components analyze security data collected from the agents. They support on-premises deployment and can be deployed in the cloud using the Wazuh Cloud solution. 
  • The Wazuh agent is a lightweight program that is installed on endpoints. The agents collect security event data from the monitored endpoints and forward these events to the Wazuh server, where log analysis, correlation, and alerting are carried out. 

The Wazuh solution also supports agentless monitoring. This can be used for devices such as routers, firewalls, switches, and endpoints on which the Wazuh agent cannot be installed. 

Wazuh has several capabilities that help organizations of all sizes protect their assets against security threats. The vulnerability management capabilities of Wazuh include Security Configuration Assessment (SCA), and vulnerability detection.

Security Configuration Assessment (SCA)

Security configuration assessments and hardening are effective ways to reduce an organization’s attack surface. The Wazuh SCA capability access system configurations and generates alerts when these configuration does not meet defined secure system policies. 

The SCA policies included out-of-the-box with Wazuh can be used to check for compliance with the Center of Internet Security (CIS) benchmarks. The CIS benchmarks are configuration baselines, best practices, and recommendation that ensures the secure configuration of a system.

These SCA policies are written in YAML, which is easy to understand.  Users can also create new policies or modify existing policies to fit their requirements.

 

Fig. 1: The Wazuh dashboard showing the result of an SCA check on a Windows device

The result of an SCA check on the Wazuh dashboard provides information about the configuration that was checked and recommendations to harden the system. With the SCA capability, organizations can check for misconfigurations in their infrastructure, remediate them, and ensure compliance with various regulatory frameworks (PCI DSS, GDPR, and NIST). 

Wazuh vulnerability detection

Wazuh helps users gain security visibility into the endpoints within their environment using the vulnerability detection module. This module allows you to discover vulnerabilities in the operating system and applications installed on the endpoints monitored by Wazuh. 

Vulnerability detection is done through the native integration of Wazuh with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD).

Wazuh agents extract software inventory data from the monitored endpoints and send this information to the Wazuh server. The software inventory data is correlated with CVE databases maintained on the Wazuh server to identify known vulnerable software. 

Fig. 2: The Wazuh dashboard showing the result of a vulnerability detection scan on an Ubuntu device

The result from the vulnerability detection scan includes the CVE entry, the description, the severity level,  and the condition of the vulnerability, which suggests possible remediation steps.

Conclusion

Vulnerability management programs help to keep your organization's infrastructure safe by detecting vulnerabilities before it gets exploited while ensuring compliance with regulatory requirements. It allows you to identify and remediate known vulnerabilities that can compromise the integrity of the computer systems and the information stored on them.

With more than 10 million annual downloads and dependable community support, Wazuh stands out as a free open source tool with SIEM and XDR capabilities. It is a free solution that integrates well with third-party solutions and technologies. To deploy Wazuh and explore use cases around vulnerability management, check out the Wazuh documentation.

October 13, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013
CYBER MONDAY IS HERE! Get your 30% OFF
Use the code: H9CYBER
x