Wazuh – Open-source security platform

There is a hosted offering https://wazuh.com/cloud

I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.

The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.

Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.

It would be great to be able to use VictoriaLogs underneath instead of Elasticsearch. This would simplify the configuration and maintenance, since VictoriaLogs works optimally with default configs on any hardware. This will also help reducing hardware costs for large amounts of stored security logs, since VictoriaLogs usually needs up to 30x less RAM and up to 15x less disk space than Elasticsearch for the same amounts of logs. See https://itnext.io/how-do-open-source-solutions-for-logs-work... for details.

Wazuh does much more than Nessus, for instance you can instruct the agent to temporarily drop networking if you identify a compromised machine. Agentless scans will do nothing of the like.

It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.

What was it specifically that made it a "maint burden of the first order?"

Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.

What SIEM did you move to that was less of a burden?

I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.

Why was it a burden?

There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.

Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.

I'd like to give you a virtual cookie, for being the only person in the comments so far to spell out what SIEM stands for.

I appreciate you.

> such a good SIEM

Source? The value a SIEM provides these days is mostly the out of the box integrations and log parses. Wazuh is far from that, IME.

TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).

Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.

They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.

As far as I know it's just a node exporter, similar to prometheues node-exporter

Nothing?

Any specific areas of interest?

Some mailing lists at [1], like oss-security & kernel-hardening. CISA (Cybersecurity and Infrastructure Security Agency) [2] has a few different areas they report on. Mozilla has the dev-security-policy mailing list for all things PKI (public key infrastructure) [3], and a few other lists as well. There's the Full Disclosure [4] mailing list for vulnerabilities/exploits, etc. Quite a few others at [5], though sadly many are no longer active.

[1] https://openwall.com/lists/

[2] https://www.cisa.gov/about/contact-us/subscribe-updates-cisa

[3] https://groups.google.com/a/mozilla.org/g/dev-security-polic...

[4] https://seclists.org/fulldisclosure/

[5] https://seclists.org/

I have slowly been aggregating various blogs in the cybersec realm at https://securityblogs.xyz/

I add new blogs as I run into them on twitter/reddit/HN/etc

I'm not in cyber but "Risky Business" ( https://risky.biz/ ) is a good podcast to keep up to date.

They always have a lot of outgoing links in their show-notes that should get you started with the rest.

Podcast https://isc.sans.edu/podcast.html

This blog is nice https://blog.badsectorlabs.com/

You have different areas of security. Sadly our space is full of grifters and wanna be security "experts". For a very technical security podcast I recommend Critical Thinking Bug Bounty [1].

[1] https://www.criticalthinkingpodcast.io/

Well your other choice is you pay for a non open source SIEM that's $10 per endpoint per month and cross your fingers that they don't do a rugpull and start charging you $20 after it's insinuated itself into your environment is hard to replace..

With an Open Source project you at least have the possibility that if it has enough users and companies using it then someone will fork the code if the company ever makes it closed source and keep the project going.

My first thought isn't the "rug pull" but rather that the real product being produced by the "FOSS company", from the get go, are the expensive support contracts.

Two different business models:

- Sell a great+differentiated product, support is ~free and rarely needed

- Give a away a terrible product (usually an over-engineered CRUD), constant $upport is required to use it effectively