Improving cyber defense with open source SIEM and XDR

Developing an effective strategy is a continuous process which requires recurring evaluation and refinement

Partner Content A cyber defense strategy outlines policies, procedures, and technologies to prevent, detect, and respond to cyber attacks. This helps avoid financial loss, reputational damage, and legal repercussions.

Developing a cyber defense strategy involves evaluating business risks, implementing security controls and policies, and continuously improving them to address likely risks. A defense strategy includes controls for threat detection, vulnerability management, risk assessments, data protection, and access control, all of which help to protect valuable IT assets.

Security solutions like Extended Detection and Response (XDR), Security Information and Event Management (SIEM), and firewalls can improve an organization's cyber security. However, successful implementation requires careful planning, configuration, and customization to suit specific requirements.

Designing your cyber defense strategy

Every organization has unique IT infrastructure and security requirements. Hence, security strategies and solutions must be tailored accordingly.

Here are some aspects to consider when designing your cyber defense strategy:

Risk assessment: Identify and assess threats and vulnerabilities specific to your organization. Evaluate cyber threats, both internal and external, and prioritize risks based on likelihood and severity.

Technology selection: Choose and customize security solutions like SIEM, XDR, and firewalls to fit your organization's needs. Ensure security controls cover data security, network security, vulnerability management, and identity and access management.

Integration: Integrate security technologies for a robust security ecosystem to enable better event correlation and faster incident response.

Incident response plan: An incident response plan outlines the steps to take in a security incident like data breach, malware infection, credential theft, and denial of service attacks. It outlines who should be involved, what actions should be taken, and how the incident should be reported and documented. This ensures a swift and effective response to security incidents.

Continuous monitoring: Regularly assess security measures and compliance with regulatory standards to discover and address security gaps before intruders can exploit them. Use threat intelligence feeds for insights into emerging trends and attack vectors.

User awareness: Educate employees about cybersecurity best practices to reduce the risk of human error leading to security breaches

Integrating Wazuh into your cyber defense strategy

Wazuh is a free, open source security solution that offers unified SIEM and XDR protection across several platforms. It protects workloads across virtualized, on-premises, cloud-based, and containerized environments to provide organizations with an effective approach to cybersecurity. The customizable rulesets, threat detection, and tailored reporting capabilities offered by Wazuh make it an asset for security teams to stay ahead of emerging threats.

Here are some capabilities of Wazuh that can be useful for your cyber defense strategy.

Threat detection

Wazuh offers several capabilities that provide security teams with an overview of their threat landscape. These include malware detection, File Integrity Monitoring (FIM), log data collection, and more. These capabilities enable Wazuh to detect anomalous behaviors and threats in monitored endpoints. By enriching raw data with contextual information and integrating it with threat intelligence feeds, Wazuh enables security analysts to respond effectively to security threats and incidents. Leveraging the Log collection capability, Wazuh agents collect logs from monitored endpoints and forward them to the Wazuh analysis engine for analyses. Wazuh uses decoders to identify relevant information within the processed log and rules to match specific patterns.

Attackers may achieve persistence by adding a malicious script or program to the startup folder of a Windows endpoint. Wazuh monitors the startup folder by default on Windows endpoints to detect such persistent techniques. We demonstrate how Wazuh detects persistence techniques used by the Phobos ransomware, which establishes system persistence by employing process injection techniques and modifying the Windows Registry.

Incident response

Wazuh provides an incident response capability, allowing users to run automated actions like isolating compromised endpoints, blocking malicious IP addresses, and quarantining infected devices based on specific triggers. This improves the Mean Time to Respond (MTTR) and minimizes the impact of security breaches.

For example, we utilize the Wazuh active response capability to prevent SSH brute force attacks on monitored endpoints by blocking the attacker's IP. In an SSH brute force attack, an attacker attempts to guess the correct password or key by trying various character combinations. Wazuh detects these attempts by analyzing patterns within the SSH authentication logs. The firewall-drop active response script blocks the attacker's IP address by adding the malicious IP to the deny list in the firewall of the monitored endpoints. Wazuh allows users to configure the duration for which the active response action should last; in this example, the attacker's IP address is blocked for 180 seconds.

The first alert rule ID 5763 was generated upon detecting a brute force attack. The triggered rule prompted the active response module to execute the firewall-drop script, adding the attacker's IP to the deny list in the firewall of the monitored endpoint. A second alert rule ID 651 was generated on the dashboard to reflect this action, as shown in the image above.

Vulnerability detection and Security Configuration Assessment (SCA)

Wazuh includes a vulnerability detection capability to discover vulnerabilities in the operating system and applications installed on monitored endpoints. It integrates feeds from major Linux distributions, Microsoft, and the National Vulnerability Database (NVD), creating a global vulnerability database that is cross-correlated with agent application inventory data. Wazuh helps to identify misconfigurations and recommend remediation action using its security configuration assessment (SCA) capability.

A recent example is the backdoor discovered in the XZ Utils originating from a carefully orchestrated supply chain attack. The XZ project's upstream source code repository was compromised, resulting in a backdoor implanted in the liblzma library. This CVE-2024-3094 vulnerability carries a CVSS score of 10. Wazuh detects this vulnerability by comparing the XZ Utils package version on the monitored endpoint with versions known to be affected.

Wazuh integration with third-party platforms

Wazuh integrates with third-party solutions like VirusTotal, Shuffle, Slack, and Maltiverse to enhance threat detection and incident response. Organizations can leverage these integrations to detect suspicious activities and security incidents more accurately. A demonstration is shown in the Wazuh integration with Maltiverse blog post.

Regulatory compliance

Wazuh enables organizations to stay current with the latest security best practices, industry standards, and regulatory requirements. Wazuh ensures compliance with PCI DSS, HIPAA, NIST, TSC, CIS benchmark, and other relevant standards by performing regular checks on monitored endpoints.

A continuing process of improvement

Developing an effective cybersecurity defense strategy is a continuous process requiring recurring evaluation and improvement. By leveraging the wide range of capabilities Wazuh offers, users can strengthen their cyber defense to protect their IT environments from cyber attacks.

Wazuh is a free and open source security platform with over 20 million annual downloads and extensively supports users through a constantly growing community. The Wazuh SIEM and XDR platform is designed to provide security analysts with features required to detect, prevent, and respond to threats as they occur. For more information, check out the Wazuh documentation to learn about the various capabilities Wazuh offers.

Contributed by Wazuh.

More about


Send us news