Improve Security Analytics with the Elastic Stack- Wazuh
156 views
Skip to first unread message
Eric
Jun 6, 2021, 11:51:31 AM6/6/21
to Wazuh mailing list
Hi everyone,
I understand Wazuh, commonly deployed along with the Elastic Stack, is an open-source host-based intrusion detection system (HIDS). It's using a signature-based approach to threat detection. So, we face sifting through thousands (or millions) of alerts every day, time in them, it's false positive SIMEs did detect them with ranges rule level (3-10).
We don't know its actual impact on the systems or not. We also can't review them one by one, each alert by a human. In this situation, can hackers bypass the SIMs? Therefore, it's just normal behaviour. We need a solution here. I'm researching and see that Elastic machine learning features help reduce the noise by automatically identifying unusual behaviours. This is a clear use case where anomaly-based and signature-based technologies complement each other, making threat detection easier and investigations more efficient.
Unfortunately, since Wazuh used Open Distro, machine learning is not available at this time, Right?
How can I use or integrate machine learning with Wazuh? Please suggest to me both commercial and FOSS.
Regards,
Rafael Antonio Rodriguez Otero
Jun 6, 2021, 1:04:03 PM6/6/21
to Eric, Wazuh mailing list
Hello
Well first of all, I will ask you to explain in more detail what you say, the question you asked was? In this situation, can hackers bypass the SIMs?
First of all, how is the SIM process working? I ask you this question because the idea of a SIEM is to detect an anomalous event, using machine learding is not always a solution. If you have billions of events of course that can be complex, but if you have a system that is correctly configured, you have a low level of false positives and you adapt your siem to the Infrastructure, then your alarms created by signatures are very effective.
But if you have many false positives and you do not correctly configure the SIEM to the company process, it is very possible that you will not be able to have good alarms, neither by signatures nor by Machine learding.
No SIEM is correctly configured for the company's processes, all of them must be adapted to the company, all SIEM tries to make a general framework which you must improve over time in the monitoring implementation.
Besides that, the cost of a machine learding in resources is much higher, you should also consider that.
So, let's start with the process you use to manage SIMs and see if it has a solution that can be adapted to your requirement. In addition to having the process clear, you must do an Ethical Hacking on the process to detect all security flaws and from that point on, you must decide which monitoring method you should use.
You understand?
Well first of all, I will ask you to explain in more detail what you say, the question you asked was? In this situation, can hackers bypass the SIMs?
First of all, how is the SIM process working? I ask you this question because the idea of a SIEM is to detect an anomalous event, using machine learding is not always a solution. If you have billions of events of course that can be complex, but if you have a system that is correctly configured, you have a low level of false positives and you adapt your siem to the Infrastructure, then your alarms created by signatures are very effective.
But if you have many false positives and you do not correctly configure the SIEM to the company process, it is very possible that you will not be able to have good alarms, neither by signatures nor by Machine learding.
No SIEM is correctly configured for the company's processes, all of them must be adapted to the company, all SIEM tries to make a general framework which you must improve over time in the monitoring implementation.
Besides that, the cost of a machine learding in resources is much higher, you should also consider that.
So, let's start with the process you use to manage SIMs and see if it has a solution that can be adapted to your requirement. In addition to having the process clear, you must do an Ethical Hacking on the process to detect all security flaws and from that point on, you must decide which monitoring method you should use.
You understand?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3f0193e8-997d-44bd-8e67-977fea259576n%40googlegroups.com.
Eric
Jun 6, 2021, 10:44:55 PM6/6/21
to Rafael Antonio Rodriguez Otero, Wazuh mailing list
Hi Rafael,
Well, first of all thank you for your answer.
Let me point out my understanding of the SIEM process working.
The Wazuh Manager receives the log file sent by Agentd at the Remoted, and forwards it to Analysisd to test the match of decoders and rules. Additionally, and using threat intelligence to look for well-known indicators of compromise (IOCs). Then we will have both two of the case:
wazuh-alerts: Index for alerts generated by the Wazuh server. Those are created each time an event trips a rule with a high enough priority (this threshold is configurable).
wazuh-events: Index for all events (archive data) received from the agents, whether or not they trip a rule.
With wazuh-alerts: we have the rules are classified in multiple levels, from the lowest (0) to the maximum (16). At this point we have sifting through thousands (or millions) of alerts every day, time in them, it's false positive Wazuh did detect them with ranges rule level (3-10).
At this point, you will ignore them? Right? If yes, you are losing some events that likely hackers bypass SIEMs because it's just normal behaviour that Wazuh detects. Therefore, the events are not trip a rule with a high enough priority to confirm that there are no false positives. Immediate attention is necessary.
==> We don't know What hackers will do and how we can't cover all the rules on the host or systems sometimes. So we need to detect normal behaviour.
If not, please could you share more in detail your experience of sifting through thousands (or millions) of alerts every day, time in them. Please let me know the threshold is configurable you defined. It's an alarm that needs Incident Response in Wazuh level 14, 15, 16. Is this correct?
For the process I'm using to manage SIEMs, Firstly, I collect information on the hosts, or the systems that need monitoring, Example: I have a host has PostgreSQL, Nginx I will configure them to make with general framework rule by Wauzh, time to time I will receive feedback to determine that the rules applied its false-positive I will tuning the rules, it will rotation continue while I maintain the host. At this point, Do you have any recommendations or a few ideas to help me improve myself?
Do you understand Threat Intelligence on Wazuh, how it works? please clarify for me if you can
Regards,
Rafael Antonio Rodriguez Otero
Jun 7, 2021, 11:31:16 AM6/7/21
to Eric, Wazuh mailing list
Hello.
I don't know if the translator failed me, but the idea of the process that I asked you is not that, the idea is that I mentioned more or less how the internal process of the company is, not the process for using the SIEM Wazuh.
I will recommend that you do the following, although this topic is not wazuh, it is one more topic to use in another forum, I understand your concern.
How to detect attacks that Wazuh does not have by default with high priority?
I mentioned the answer to your question in the previous email.
1.) You must perform Pentest Prenetration or Ethical Hacking tests. (The frequency and equipment used for these tests depend on the internal functions of the company, as well as the scope of the test).
NOTE: as I mentioned the previous time, no SIEM comes 100% configured and Updated for a company, they all come with standard frameworks and they do the best they can. In even Machine Learding you must receive training to detect events or Alerts.
2.) Once you have the test results, the SIEM, IPS and IDS settings come.
With this idea of improvement you will be able to optimize the rules. As you can detect something that does not come by default in the wazuh rules, you must first evaluate the assets, try to find their vulnerabilities and then set the monitoring or blocking rules.
That is why I asked you to mention the company's process with the assets, for example, you mentioned the applications:
1.) PostgreSQL
2.) Nginx
you should ask yourself these questions:
how are you using these applications? (users, accesses, etc)
How do you have them installed? (nginx.conf, postgres.conf, etc)
Are they on independent servers? (windows, linux, etc)
What functions does this have for the company? (functions in the company.)
Note: Do not answer this here, this is private information.
This analysis is the one that you should use to set the monitoring rules and this same analysis is the one that the Ethical Hacking Staff will use to perform the penetration tests. With this you can make a cybersecurity framework with the most personalized monitoring policies for your company.
Greetings.
I don't know if the translator failed me, but the idea of the process that I asked you is not that, the idea is that I mentioned more or less how the internal process of the company is, not the process for using the SIEM Wazuh.
I will recommend that you do the following, although this topic is not wazuh, it is one more topic to use in another forum, I understand your concern.
How to detect attacks that Wazuh does not have by default with high priority?
I mentioned the answer to your question in the previous email.
1.) You must perform Pentest Prenetration or Ethical Hacking tests. (The frequency and equipment used for these tests depend on the internal functions of the company, as well as the scope of the test).
NOTE: as I mentioned the previous time, no SIEM comes 100% configured and Updated for a company, they all come with standard frameworks and they do the best they can. In even Machine Learding you must receive training to detect events or Alerts.
2.) Once you have the test results, the SIEM, IPS and IDS settings come.
With this idea of improvement you will be able to optimize the rules. As you can detect something that does not come by default in the wazuh rules, you must first evaluate the assets, try to find their vulnerabilities and then set the monitoring or blocking rules.
That is why I asked you to mention the company's process with the assets, for example, you mentioned the applications:
1.) PostgreSQL
2.) Nginx
you should ask yourself these questions:
how are you using these applications? (users, accesses, etc)
How do you have them installed? (nginx.conf, postgres.conf, etc)
Are they on independent servers? (windows, linux, etc)
What functions does this have for the company? (functions in the company.)
Note: Do not answer this here, this is private information.
This analysis is the one that you should use to set the monitoring rules and this same analysis is the one that the Ethical Hacking Staff will use to perform the penetration tests. With this you can make a cybersecurity framework with the most personalized monitoring policies for your company.
Greetings.
Eric
Jun 7, 2021, 12:24:14 PM6/7/21
to Rafael Antonio Rodriguez Otero, Wazuh mailing list
Hi Rafale,
Thank you so much for the excellent answer. You saved my time.
It was exactly what we needed and allowed me to improve myself.
Regards,
It was exactly what we needed and allowed me to improve myself.
Regards,
Reply all
Reply to author
Forward
0 new messages