Using Wazuh for Zero Trust Security

Zero Trust security changes the way organizations handle security by eliminating conditional trust with continuous analysis and validation of access requests. Unlike perimeter-based security, users in an environment are not automatically trusted after gaining access. Zero Trust security encourages continuous monitoring of each device and user, providing persistent protection after successful user authentication.

Why companies use Zero Trust security

Companies use Zero Trust security to protect against sophisticated and increasingly sophisticated cyber threats. This addresses the limitations of traditional perimeter-based security models, which include a lack of east-west traffic security, implicit insider trust, and a lack of visibility.

Traditional Security vs. Zero Trust

Zero Trust security increases the level of security of an organization by offering:

• Improved security posture: Organizations can improve their security by continuously collecting data about network traffic, access requests, and user/system activities in their environment.
• Protection against insider threats: Zero Trust security ensures that every user within the network perimeter is authenticated before access is granted, adopting the “never trust, always verify” principle.
• Adaptation to remote work: Zero Trust Security enhances the security of remote work organizations by prioritizing identity verification, security and continuous monitoring of each device/user.
• Compliance: It helps organizations meet compliance requirements by ensuring strict controls, continuous monitoring and data protection in accordance with regulatory standards.
• Elimination of violations: By implementing automated response mechanisms, organizations can quickly limit access rights for compromised accounts and devices, thereby containing potential damage and reducing the overall impact of a breach.

How to apply Zero Trust security

Here are the factors to consider when implementing Zero Trust security for your organization:

1. Constant monitoring: This ensures that all network and system activities are monitored and analyzed. You can adopt a Security Information and Event Management (SIEM) platform. A SIEM is a security solution that provides real-time visibility, enabling organizations to identify and remediate security threats and vulnerabilities.
2. Incident response: It enables organizations to respond quickly to security incidents. Organizations use advanced detection and response (XDR) platforms to quickly respond to security breaches, minimizing damage and reducing downtime.
3. Preventing initial access: By continuously monitoring exploits, unusual user behavior, and brute-force login attempts, organizations can detect threats in real-time before attackers establish an entry point.
4. The least privilege: This encourages attribution of least privilege in the system as users need to be given only the necessary access. This can be achieved through Identity and Access Management (IAM) solutions. IAM solutions use role-based access control (RBAC) to assign specific permissions to users. You can use a SIEM platform and XDR to monitor IAM configurations for unauthorized changes.
5. Device access control: All devices accessing the network must go through a preliminary authentication and verification process. This process includes verifying the device’s identity, security status, and organizational compliance. Even after initial access is granted, the device can continue to be monitored for any signs of a breach, ensuring constant security.
6. Microsegmentation: This zero-trust security principle encourages organizations to break their network infrastructure into smaller, isolated pieces. Each part works independently with its own security elements, reducing the attack surface by minimizing the risk of lateral movements.
7. Multi-factor authentication: This adds an extra layer of security by requiring users to submit multiple forms of verification before accessing systems, programs or data. This reduces the risk of unauthorized access even if one factor, such as a password, is compromised.

The following section shows examples of how Wazuh can be used for Zero Trust security.

How to use Wazuh for Zero Trust security

Wazuh is a free, open source security platform that offers unified XDR and SIEM capabilities for a variety of cloud and on-premises workloads. You can use the Wazuh documentation to customize this solution for your organization.

Wazuh’s capabilities help organizations protect their IT environment from a variety of security threats, making it a suitable solution when implementing Zero Trust security. With real-time monitoring, automated incident response, and extensive visibility into user behavior and system configurations, Wazuh enables you to detect and respond to potential breaches before they escalate. Below are some use cases of Wazuh for Zero Trust security.

Detection of abuse of legal instruments

Wazuh capabilities such as system call monitoring, security configuration assessment (SCA), and log data analysis can be used to detect abuse of legitimate tools.

The system call monitoring capability analyzes file access, command execution, and system calls on Linux endpoints. This helps threat hunters identify when trusted tools are being used for malicious purposes, such as privilege escalation or unauthorized script execution.

The Wazuh SCA capability evaluates system configurations to detect misconfigurations that can be exploited by attackers. By finding vulnerabilities such as unnecessary services, weak password policies, or unsafe network configurations, SCA reduces the attack surface and prevents legitimate tools from being misused.

Netcat is a tool widely used by threat actors to install backdoors, perform port scans, transfer files, and create back-shells for remote access. Wazuh can monitor and warn about suspicious command usage as described in the manual monitoring the execution of malicious commands. This guide shows a scenario where the monitoring system calls capability can record Netcat activity and generate alerts.

Wazuh checks the Netcat command for suspicious activity

As shown above, whenever the nc command is executed, Wazuh generates an alert that allows threat hunters to gain visibility into the executed command and its output.

Initial access detection

Wazuh uses its log data collection capability to aggregate logs from various sources in the IT environment. It collects, analyzes and stores logs from endpoints, network devices and applications and performs real-time analyses.

Blog post on Exploitation of XZ Utils Vulnerability (CVE-2024-3094) shows how Wazuh uses its log data collection capabilities. CVE-2024-3094 is a critical vulnerability in versions 5.6.0 and 5.6.1 of XZ Utils, a widely used data compression tool. It follows a supply chain attack that introduced a backdoor into the software, allowing unauthorized remote access to systems. Specifically, it uses the liblzma library, which depends on OpenSSH, allowing attackers to execute arbitrary commands over SSH before authenticating. This can lead to remote code execution (RCE), which compromises the security of the system.

Wazuh identifies and forwards logs of potentially malicious sshd child processes through configurable decoders and rules. This approach helps in early detection of attempts to exploit this vulnerability.

Wazuh checks the sshd service for CVE-2024-3094

As shown above, after analyzing the sshd service, Wazuh detects and flags abnormal activity patterns.

Incident response

The Wazuh platform improves incident response for security teams by providing real-time visibility into security events, automating response actions and reducing alert fatigue.

Using proactive response capabilities, Wazuh enables teams to effectively manage incidents with automated scripts that can be triggered for any configured event. This automation is particularly useful in resource-constrained environments, allowing security teams to focus on vital tasks while the system handles routine responses.

Blog post on detect and respond to malicious files using CDB lists and proactive response highlights how security professionals can automate actions in response to specific events using Wazuh’s proactive response capabilities.

The Wazuh Active Response feature automatically deletes files with hashed values ​​in the CDB list.

This blog covers how you can detect malicious files using Wazuh’s File Integrity Monitoring (FIM) feature. It works with a persistent database (CDB) list of known malicious MD5 hashes. The Wazuh Active Response feature automatically deletes files that match the hash values ​​in the CDB list.

Conclusion

With sensitive data and applications now distributed across multiple servers and environments, the attack surface has expanded, making organizations more vulnerable to data breaches, ransomware and new threats. Organizations using a Zero Trust approach to security can build a stronger cyber defense against evolving threats.

Wazuh’s unified XDR and SIEM platform can implement aspects of this approach using, among other things, log data collection, vulnerability discovery, and automated incident response capabilities. You can learn more about how the Wazuh platform can help your organization by visiting their website.