IDS Security Overview
This article explains security controls that Cloudaware designed and implemented into Wazuh for IDS module.
Introduction
Cloudaware offers Intrusion Detection functionality as part of its Threat Center bundle. Our platform customizes out-of-the-box Wazuh event collection flow and registration process. Cloudaware customizations are designed to make Wazuh suitable for cloud-based environments with high inventory turnover. In addition, Cloudaware Wazuh is designed to support Docker and Kubernetes environments.
Cloudaware employs compartmentalized architecture to isolate customer environments where each customer has a dedicated instance of the Wazuh environment. All data, including encryption and signing keys, are isolated within customer specific environments and are not shared across Wazuh instances.
Registration Process Using PKI
Breeze agent orchestrates registration of Wazuh agents to Wazuh server using appropriate cloud specific agent identifiers. During the registration process, Breeze server provides a Wazuh signed certificate for future use of the Wazuh agent. Breeze agent then registers the Wazuh agent into the server using a newly provisioned certificate.
During this registration process, a bi-directional trust is established. Wazuh server will reject the connections from agents that do not present valid certificates and Wazuh agents will reject servers that do not match the domain name of the certificate signer.
Data Protection
Out-of-the-box Wazuh agents and Servers use HTTPS for all communications, thus providing encryption in transit. Cloudaware deploys additional security controls to encrypt data at rest using LUKS disk volume encryption, thus providing data encryption at rest.
Access Control and SDLC Security
Cloudaware employs segregation of responsibilities and least privilege access principles to manage access to Wazuh servers. Our Wazuh management team is split into two categories: product engineering and customer support. Our product team maintains Wazuh non-customer specific configuration and deployment images. The engineering team does not have access to any customer environments. Customer specific team can troubleshoot customer specific issues and does have access to customer specific Wazuh instances, however, is not able to make any image modifications. Security is integrated into Wazuh SDLC security. Every new release of Wazuh goes through an internal security review process.
Intrusion Detection and Audit Logging
All Wazuh servers run the Wazuh agent by default. The data from Wazuh agents is collected on an internal log collection server that is isolated on its own highly restricted network segment. Our SOC team monitors and audits security events emanating from customer serving Wazuh servers.
Vulnerability Scanning and Patching
All Сloudaware infrastructure is subject to regular vulnerability scanning including the Wazuh server. Cloudaware performs scans on a daily basis and also after each product release. In a non-production environment vulnerability scanning is integrated into our CI/CD process and a scan is performed for every Wazuh product build. Our security team maintains an objective to remediate all critical and high platform vulnerabilities arising from the OS and supporting libraries within 7 days of discovery. Our SLA to remediate any kind of product specific vulnerabilities is 24 hours.
Customer Transparency and Incident Response
Cloudaware maintains active incident response. Core of our incident response is transparency with our customers. If Cloudaware encounters an internal product vulnerability, customers will be notified immediately and receive Cloudaware remediation plan of activities along with any other advisories. In the event of a security compromise Cloudaware will also share all the known incident details via the customer's technical account management team.