Endpoint Security: NOTES

Endpoint Security: NOTES

Wazuh

Wazuh is an open-source, freely available, and extensive EDR solution, which Security Engineers can deploy in all scales of environments.

Wazuh operates on a management and agent model where a dedicated manager device is responsible for managing agents installed on the devices you'd like to monitor.

As mentioned, Wazuh is an EDR; let's briefly run through what an EDR is. Endpoint detection and response (EDR) are tools and applications that monitor devices for an activity that could indicate a threat or security breach. These tools and applications have features that include:

  • Auditing a device for common vulnerabilities
  • Proactively monitoring a device for suspicious activity such as unauthorized logins, brute-force attacks, or privilege escalations.
  • Visualizing complex data and events into neat and trendy graphs
  • Recording a device's normal operating behaviour to help with detecting anomalies

 

Real-world scenario: As a security engineer, I had to work with vendors to troubleshoot why an agent wasn't responding on an endpoint—the tools used were ProcExpProcMon, and ProcDump.

  • ProcExp = to inspect the agent process, its properties, and associated threads and handles.
  • ProcMon = to investigate if there were any indicators on why the agent was not operating as it should.
  • ProcDump = to create a dump of the agent process to send to the vendor for further analysis.

 

r0tZ Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *