Endpoint Security Discussions (Fourteen) Wazuh White Paper (Part 2)

Introduction

The last part of the Wazuh white paper, let's talk about the advantages, disadvantages, and counterparts, as well as the feeling of modifying the product with Wazuh.

Wazuh pros and cons

Advantage

1. Compatibility

Wazuh provides compatibility requirements that most domestic endpoint security products in the market cannot meet, whether it is the operating system compatibility of the probe client program or the compatibility of the management endpoint installation and deployment, wazuh performs very well. The excellent performance of compatibility may originate from the simplification of the working principle of the probe and the software dependency relationship, but this does not affect the completeness of wazuh's functions.

1.1. Probe compatibility

Not to mention, no domestic manufacturer's products meet the requirements for supported operating systems.

1.2. Management endpoint compatibility

The Wazuh server and Elastic Stack components can be installed on the following Linux operating systems:

• Amazon Linux 2
• CentOS 7 and higher versions
• Debian 8 ELTS and higher versions
• Fedora Linux 31 and higher versions
• openSUSE Tumbleweek (d), Leap 15.2 and higher versions
• Oracle Linux 6 Extended Edition and higher versions
• Red Hat Enterprise Linux 6 ELS and higher versions
• Ubuntu 14.04 ESM and higher versions

2. Performance

The Wazuh server only performs data storage and data analysis functions and can be deployed on physical servers or virtual machines. The minimum server resources required to run are 4G of memory. Since the server needs to store a large amount of log data, it has a high demand for disk space. For example, for a server monitoring two agents, running for two weeks, the system disk space occupied is about 2G.

The installation size of the Wazuh server is about 120M, with quick installation and short deployment time. The agent installation package is about 6M, and the installation occupies about 27M of disk space. When the agent performs checks or collects logs, the system resources are as shown in the figure below:

The CPU usage during silence is less than 1% daily, and only memory resources are used.

The Wazuh agent lacks security, no daemons are set, and the terminal agent cannot automatically start after being terminated.

3. Extensibility

Wazuh currently provides proxy, manager, and API expansion interfaces; Wazuh WUI can run as a Kibana plugin or Splunk application, expanding the visualization and management interface; Wazuh includes docker, kubernetes container security components.

Disadvantages

1. Information Collection Ability

The main capability and value of EDR products are reflected in their ability to acquire and extract data from probes, whether it is static data or dynamic behavior data. The Wazuh probe can only obtain limited system information at the system ring3 layer and perform data analysis by obtaining system logs through interfaces, which may miss critical system information and not fully capture data during this process.

2. Control Power

Wazuh relies more on system commands and component capabilities when executing certain strategies and rules, obtaining relevant data by executing system commands, etc., and is strongly dependent on Linux control commands such as auditctl and iptables.

3. Function Expansion

Wazuh currently supports third-party capability expansion in addition to standard functional components. There are already many open-source components for Wazuh, but Wazuh still has many problems in scenario adaptation, such as:

Compliance: Wazuh only supports foreign standards, and domestic standards such as the national information security protection standard and industry standards require independent development, and the application of compliance content needs to be expanded;

Behavior Detection: Although Wazuh has certain intrusion detection capabilities, they are far from enough for the expected security protection capabilities in real-world environments and for enterprise users. Further capability enhancement and detection function expansion require considerable resources for secondary development.

Services and Operations: The current deployment method of Wazuh does not include cloud-based security services and operations. This requires system adaptation, including private cloud and public cloud multi-tenant scenarios, and the scenario of enterprises with division of power and domain.

4. Self-security

The Wazuh agent client program lacks self-protection mechanisms and has limited self-protection capabilities. The probe process is easily terminated, and malicious programs are prone to affect it, causing the protection to fail.

Competitive Analysis

Bluespawn

BLUESPAWN is an active defense and endpoint detection and response tool, which means defenders can use it to quickly detect, identify, and eliminate malicious activities and malware in the network. It is only for Windows.

BLUESPAWN mainly has three modes, namely mitigation mode, hunting mode, and monitoring mode. There are also some sub-modules, including:

1. Hunting: Searching for evidence of malicious behavior
2. Mitigation: Mitigates vulnerabilities through the application of security settings
3. Monitoring: Continuously monitors for potential malicious behavior in the system
4. Scanning: Used to evaluate targets discovered by hunting and determine if they are suspicious/malware
5. User: Contains the main program, IOBase, and other similar functions
6. Utilities: a collection of modules that support core operations

Adopts command-line interface, the user interface is not very user-friendly

OSSEC

OSSEC is an open-source cross-platform quasi-EDR intrusion detection and response system. OSSEC monitors all aspects of the corporate asset system activities through file integrity monitoring, log monitoring, rootcheck, and process monitoring, providing a basis for security management.

OSSEC has a powerful correlation and analysis engine, integrating log analysis, file integrity monitoring, Windows registry monitoring, centralized policy execution, rootkit detection, real-time alerts, and active response. It can run on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris, and Windows.

Main features:

1. Log-based Intrusion Detection (LID)

Real-time active monitoring and analysis of data from multiple log data points

2. Rootkit and Malware Detection

Process and file level analysis to detect malicious applications and rootkits

3. Active response

Respond to system attacks and changes in real time through various mechanisms, including firewall policies, integration with 3rd parties such as CDN and support portals, and self-healing actions

4. Compliance auditing

Application and system-level auditing to comply with many common standards, such as PCI-DSS and CIS baseline

5. File Integrity Monitoring (FIM)

For file and Windows registry settings, it can not only detect system changes in real time but also maintain an evidentiary copy of the data as the data changes over time.

6. System inventory

Collect system information, such as installed software, hardware, utilization, network services, listeners, and other information.

7. Support for various extension function plugins

Identity authentication, alert push, rule generation, GUI interface, SOAR, micro-segmentation, firewall联动

Wazuh supports the migration of data from OSSEC by default, and Wazuh performs slightly better than OSSEC in terms of scalability and reliability, intrusion detection capabilities, cloud integration, compliance checks, event response capabilities, and vulnerability detection.

openEDR

Security vendor Comodo has opened source EDR solution, OpenEDR is a comprehensive EDR function. It is one of the most complex and effective EDR code libraries in the world. The security architecture of OpenEDR simplifies vulnerability detection, protection, and visibility by processing all threat media without any other agent or solution. This agent records all telemetry information locally and then sends the data to a locally hosted or cloud-hosted Elasticsearch deployment.

For details on openEDR components and features, please refer to:

https://techtalk.comodo.com/2020/09/19/open-edr-components/

In addition to openEDR, Comodo has also gradually developed NDR solutions and XDR on the basis of EDR, and began to discuss MDR service technology in 2018. In the design of product capabilities and rules of Comodo products, the MITRE attack chain concept is adopted, and the ATT&CK framework is mapped to product functions and kernel API virtualization and other patented applications.

Wazuh product transformation

Due to Wazuh's performance in compatibility and scalability, some people have the intention to transform it into a product for sale, and it must be said that this is indeed a thing that looks like a sure thing.

De-Wazuh

To become a selling security product, the necessary thing to do is to make it look like it is your own work, if it can be seen at a glance that it is an open-source project, will the customer pay for it? All the identification, LOGO, characters, etc., need to be changed, which is a very large amount of work. It is very difficult to go to Wazuh, all the URLs need to be changed, or you can hide it, there are countless hidden corners of Wazuh, and there are various components and extended software of Wazuh. You also need to consider the issue of the Wazuh name returning when upgrading the product. Another more painful thing is the management interface, that style, that layout, that presentation, if you don't change half of it, you can't cover it up at all.

Localization

The style of foreign products is completely different from that of domestic ones, and the logic of product usage is not compatible with Chinese people, can you change this? Or if this is not important, then all the text parts should be localized, including buttons, labels, descriptions, etc., and there is also the problem of returning after the upgrade.

Usage

The Yara rules are not bad, the problem is that once you choose Wazuh, the subsequent product capability construction, evolution, and upgrade must follow this, it's okay to play with Wazuh, but if you really want to make money, how many people do you need to make a broken thing that is likely to go wrong at any time, and if you want to upgrade and transform, you will fall into an endless cycle of troubles, and there is no time to deal with product capabilities with people solving problems.

Don't even think about the good things of overtaking on the curve, first make a top and organize people to make a quick entry themselves, if you think clearly about the content above and finish it, it will take more than 7 or 8 months to become a product that can be sold, and in that time, you could have made one out.