 Welcome, welcome everybody who's watching this now or later. Welcome Noah, how you doing? Good Friday morning so far. Yeah, so far. Cool, we are, we're gonna be chatting about a lot of different things, kind of security related tool, like security tools, open source stuff or self-hostable things. Kind of how that influences how we do things at a smaller company like ours who still has to run and manage a lot of servers. That's kind of what we do. And yeah, we've got Noah here who's not been on one of these particular Friday kind of streams, but Noah, do you wanna introduce yourself real quick and just- Sure, also the intro blew me away. So if you did that great job, that was really cool. Thanks, that's final cut in a lot of public domain assets and then the final thing is Brian Mathers made that, the like after the little countdown part that I did not make. So that was really cool. But I'm Noah, I'm the security administrator at Reclaim Hosting. I have a general IT background, I have an associates in IT and then more official technology and then I'm also working on a bachelor's in cyber security and I have a couple of certifications for security and networking and stuff like that but that's not that important. So that's me. Cool, yeah, I will say, I think when Noah and I talk about stuff we frequently like to get into, both Noah and I kind of have a similar first job in IT kind of upbringing in that way of like frontline help desk answering phones running around campus, that kind of stuff. So that's where I started with IT stuff and Noah, you were similar. So it's interesting, I think coming from that to Reclaim because there is actually quite a bit that I personally pull from that experience into my job today, even though it's like, I'm working from home, I'm never answering phones but we do all kinds of other support of course and there's a, I don't know. It was a good way to learn a lot of stuff I will say for me, so. I agree with that 100% is difficult at times and definitely frustrating but a very good way to learn. Yeah, for sure. Cool, so I mean, what do we wanna talk about? I'm gonna kind of let, what do we wanna start with? Yeah, so I guess we can start with Wazoo. Wazoo is a open source SIEM, which is a security incident and event management. Hope I got that acronym right and didn't fool myself. So usually these kind of tools are like, you're paying a ton of money and I mean, it's a fully robust enterprise package that does a lot but for a small company that's dealing with like self-hosted stuff or just a lot of servers like we are where we have a kind of a smaller staff, you can't, you just can't pay that. It's a ton, a ton, a ton of money. So the cool thing is Wazoo is a open source, like Taylor, open source SIEM and it's also a XDR, which is a incident response kind of deal. I forget what that acronym was for, so you'll have to forgive me. The, I actually pull it up real quick. So I was about to pull it up myself here because I XDR, they throw around the term XDR a lot and I was looking at this and I have not, I myself have not heard of that term, so. Yeah, it's one of those security acronyms that everybody likes to throw around that you forget in like 30 seconds. I really just can't remember what I thought in my head. Looks like extended detection and response and they're taking a 90s X there, so. Yeah, it's a lot longer than you think it would be. But yeah, it's, it does both of those things. So it's main tools, at least what I use it for mostly is vulnerability scanning, log analysis, policy monitoring, regulatory compliance. I'll go over all that here soon once we actually switch over to it. But it's a really, really cool software that you can host, it's free. It has a one-time setup kind of deal. It's just an installer you can run if you want an all-in-one installation, which is what we have running right now as a demo. Our actual setup is a clustered multi-server with fallback kind of deal where it's shipping things off and doing a bunch of stuff with data. It's a bit more complex than what we're gonna show, but you can certainly do both. They have guides for both in their documentation. It's really thorough and it's just a great program. So I'm happy to do it all. I immediately have a bunch of questions because I, so Noah is on our infrastructure team and I like to think of myself as I play infrastructure on Reclaim TV. Like sometimes I will, I know my way around Linux, but I don't, it's not my job to know how to keep a server secure. That's when I defer to the experts here. And so I know a little bit about some of these things, but I am kind of curious because of the general space around tools like this. So like what are the big name alternatives to Wazoo? I'm assuming many of them are paid. Like can you name a couple of them? I actually don't know too many by name, but I know brands. So of course you have like your big Cisco ones. You have some of your big like startup SaaS ones. There's just a lot of like, I mean, anybody you see that works in the networking field is gonna have a SIM that they offer for a lot of money. And again, they do come with more features a lot of the time. Wazoo is kind of build your own, it's a bare bones kind of deal. You have to set up a lot, but you're also getting a piece of enterprise software for free. Yeah, and it is kind of interesting I think with Wazoo because there is a level of enterprise grade software where like you were just saying the actual name of the software is like kind of hidden. And it just becomes like, no, no, no, no. What we want our customers to know is that they come to us for security and we'll tell them what they want basically. Like they want, that's how they sell that software because it's Cisco is business for this type of thing especially is predicated on like, we're gonna have a sales team or contact person working with a person in an IT team and talking about what they need and we'll sell them something. Which there's nothing wrong with that, but that's just kind of how that works. And it is interesting because Wazoo is this open source thing and it's sort of like, it's a little bit more of like a product in the sense that they want you to know the name of this thing or at least this suite of tools, you know. And so that's kind of a flip from a lot of other open source things where it's in some ways easier to find like documentation and information and like nice screenshots of this open source thing than a lot of the expensive options in the field. Also for someone and the cool thing is I can say for someone who barely understands this stuff and I can just mean me and potentially people who are watching who are less familiar too, is there a good analogy you can make for a SIM? You know, you mentioned endpoint protection or what is it? Sorry, what does SIM stand for again? Security incident and event management. Okay, so my understanding of Wazoo is it does a lot of different things, right? That term, what you security incident and event management is many things. It's not just monitoring. It's sort of like active vulnerability scanning. That's a thing it does. Is there any good analogy to sort of like desktop software? I know it's not exactly anti-virus. It's a little bit more than that. There probably won't be a perfect analogy, but... I'm not sure on the desktop. The closest thing I can think of is if you took like an anti-virus software, a network scanner, a vulnerability analysis tool, whatever that may be, you can take your poison with those. And I guess if you took a bunch of spreadsheets for compliance and regulatory compliance, you can blind those all into one big desktop app. Sure, maybe Firewall too a little bit. Yeah, kind of a Firewall, not too much because it's not, it's more like a, I mean, I guess kind of, but it's not a real Firewall, I would say. Sure, cool. All right, so you want to kind of dig into the tool and show it off a little bit or where you want to go? Yeah, sure, I got it pulled up and I'm ready. Sweet, all right. So, yeah, I'll kind of give you the reins, but this is a demo, Wazoo, that you set up, right? For today? Yes, yes, I did. And again, Wazoo is really cool. They've set it up very simply where all I did to set this up was I just started up an Ubuntu container in Reclaim Cloud and then I curled the startup script and ran it and it did everything for me. And then I just inputted the sample data which you can do in the GUI. It's really, really simple. Again, if you want to do like a cluster setup and like we have running for our organization, it's a bit more complicated and you're going to be biting off a little bit more, but it's really, I mean, I did it in like a day and a half. It's not crazy. So, I would say. Especially if you'd not done that before, right? Like we do, you know, clustered hosting for a couple different things now and we sell clustered hosting for WordPress, but that's stuff we've learned to do over years. So, why, okay, for, I'm guessing I could probably deduce, but why do we run ours in a cluster? What are the advantages of that? So, mainly it's numbers. When you're dealing with certain amounts of data, you need to have a certain amount of fallback and a certain amount of processing. And instead of bogging down one server that's running your front end, your back end and your indexers and everything, because Wazir's made a couple of different components that I'll talk about in a minute, you're kind of just splitting that out over multiple different servers and then having them work in tandem, whereas compared to this one setup single thing where you have all the clusters running on a single server and it's just really killing the resources. If you're gonna go with the one time setup, if any of you plan to use this, any of our viewers wanna use this in your own production, make sure the server is pretty beefy because it's gonna really impact your resources or go with the clustered setup. It's also a one point of failure too, I suppose, right? Like this is a security system, or it's positioning itself as an essential part of your security system and cluster could be nice at peace of mind in that way too. So you at least have something working if one particular part of it is down. Yeah, I can also maintenance it without worrying about taking the whole thing down because I can just do one server at a time in the cluster and not worry too much about actual downtime, which is just really nice when you're working with a live security system that needs to be up pretty much all the time. Yeah, cool. Yeah, and I suppose too, like we, again, we have a, we're a small company but we have a lot of servers by the nature of what we do. And so if you were a, maybe a small company that only had a few servers then maybe not clusters, probably not necessary at that point. So, okay, cool. Cool, yeah. So, this is the Wazoo dashboard. I have it pulled up right here. And again, Wazoo is made up of a couple of different components. There's the dashboard, the indexer and the server. The server is like the kind of backend of Wazoo. That's where all the stuff happens that is way above my head because I'm not a developer. The front end is just what you're seeing right now. It's the actual dashboard and the indexer is what is actually taking data, scanning it, seeing what needs to be passed along and what needs to be thrown away. Cause Wazoo and its default configuration is only pulling data that it verifies as an incident or an event or a possible event, I should say, all your regular logging data that's just like somebody did something and it's no big deal, it's benign. That's being thrown away. I mean, it's not deleting anything. It's just not indexing it. You can configure Wazoo to index everything if you want to use it as like a full log analysis kind of deal. That's a bit much when you're dealing with a large amount of servers like we are, especially when it comes to data cost, even in cold storage, that's a lot. So that's one of the things to think about when you're setting up a pool like this. But going through the steps, we're not the steps, but the parts of Wazoo, there is four major components of Wazoo. That's security information management, auditing and policy monitoring, threat detection response and regulatory compliance. I'll just kind of talk about each one briefly and show off some cool stuff you can do. But before I do that, the backend of Wazoo is actually built on OpenSearch, formerly Elk or ElastiSearch, LogStash, Kibana. So it used to be running on an Elk stack, now it's running on a OpenSearch stack, which is like Elk, but different. I actually don't know the real difference between them. I think Elk is a little bit more proprietary than OpenSearch, but it's just like a database backend where you can discover dashboard visualize right here. You can just take data and visualize and stuff like that. Yeah, a lot of tools use ElastiSearch somewhere in there, for instance, Macedon uses ElastiSearch for indexing posts. And if I had to guess, and I mean guess because I have not looked at this, a lot of times those types of moves between two very similar tools and an open source thing are license related, where someone will change the license and they're like, this doesn't really fit with our business model. Because Wazoo is open source, but they also sell hosted versions and support for it, I imagine. There's probably a company that does that. So it's probably something like that. It's probably something like MySQL and MariaDB. The differences between those two pieces of software are mostly licensing and who's in control of it. Yeah, I'm assuming you're correct. That's probably it. I guess, like I said, I don't know, but I bet it's something like that. And my point is only to say a lot of tools use some type of dynamic search indexer that's sort of separate from the main tool because it turns out a lot of things need search, basically. Especially when you're dealing with a large amount of data. Yeah. And funny enough, when I started out building our SIEM, I was doing an Elk Stack. I was actually building it from scratch. And it just wasn't working how I wanted it to. And then I found Wazoo and it's just been great ever since. So with that, I can actually go start going through some of the stuff, starting with security information management. This is just like your basic security events like alerts, issues and threats. And then your integrity monitoring, which is like, this is checking file changes, permissions, ownership, attributes, all that stuff. And anytime one of those things changes, it's sending an alert. So starting with security events. And again, this is sample data. So none of this is like, oh my God, real. But you can kind of get an idea of what it's tracking. So it uses the metro framework. I'll talk about that a little bit later. But you can see like your alert levels over a certain time period, your different agents. It works on a variety of different operating systems, including Windows. You can run it on an AWS server. It's got a whole different thing, great AWS, your evolution of your different types of alerts. And then you can actually see your alerts at the very bottom. So like when there's an SSH off failed, it'll tell you. When there's a PAM user login failed, it'll tell you. It's really, really cool. It tracks all of that. It also tracks, let me see if I can find one in the sample data. Yeah, like Docker containers, your GitHub organization, scanning. It's, I mean, it's a whole bunch of stuff in here. I'll pull up the rules and a little later on, and we can actually look at a couple of those. But basically this rule ID here correlates to what is happening inside the actual event. So for example, when an SSH insecure connection scan is right here, when that comes in, it's just pulling from this 5706 rule, which is just SSHD insecure connection attempt scan. And there's a whole bunch, again, of these rules from all different sources or different operating systems that come back in Wazoo already, but you can also make custom rules. But I'll, again, I'll go over that literally to advance it. So how, yeah, so you've got sample data in here. How does data in a real setup normally get in here? Obviously you want it connected to real servers when you're using it for real, but has that actually worked? Agents right here. And since we don't have any agents deployed because it doesn't do sample agents, it's just gonna show me this. But usually you would see your agents here, which is just your different servers. Well, this is kind of perfect for demo purposes because you can see it's easy, like it literally has installers for different, looks like they've got Deb and RPM packages for Linux and even support Windows and macOS, which is interesting. Not many people are using macOS servers, but there are some. Look, this is also built for desktop endpoint protection. Oh, okay. For like a Windows desktop or a Mac environment, like we would run this, if you had a Mac environment set up where everybody uses a Mac, you can run this endpoint, this HIDs endpoint, it's host intrusion detection system on your Mac and it would pull logs for that because with a SIM, you're not just protecting servers, you're protecting everything. You want to leave the full logs from all sorts of different devices. So it supports that. Cool, that's awesome. But it's actually really easy to set up an agent. You would pretty much just plug in these boxes and go. But once you do that, it's deploying a HIDs, again, a host intrusion detection system to the server or the client or whatever you're deploying it to. And it will run that as a daemon in the background. Constantly then, obviously. Yeah, and it will gather logs, it'll do vulnerability scanning, it'll do CIS controls, it does a lot, but that's... And actually probably go through a host intrusion detection system. There's a couple of different types of HIDs. One is host, like I just said, the other is network-based. Really, there's a couple of differences between them. The main difference is that a host intrusion detection system can detect and, well, not stop, but detect attacks from your local network. So attacks actually coming from the local network. A network intrusion detection system cannot do that, at least not as well as a HIDs can. And you'll probably see that term a lot if you're looking at security software, IDS, HIDs, NIDS, or IPS, which are way more expensive, but the difference between those is that the IPS is an intrusion prevention system, it'll actually stop the attack, whereas a HIDs or an IDS or NIDS, depending, is just alerting you that something is happening and then it's up to you to go in and stop it. Yeah, and it's an important strategic, it's an important difference in strategy because I imagine an IPS has significantly more impact, where it's actively in the moment stopping something has a significant impact on the performance of the stuff that you're doing, probably, right? Absolutely, as well as the network itself and the user base, because if you get a false positive, it's not you doing it, it's an automated system, and then you have to go figure out where that happened and undo it and stuff like that. So it can be, an IPS can be a lot more complicated, but it can also make your system a lot more secure, it really just comes down to what your infrastructure looks like and what you need. And yeah, and in sort of what your task is, you may be willing to make that compromise on certain systems if you are a bank. And whereas we would have to be, I know some of the things that we're doing with Wazoo are almost close, we can do things like, oh, there's been a certain amount of things happening and make decisions and do things on the server based on that. But we have to be really careful about that with web servers because we don't want to make our website slow, obviously. So it's a balance, of course. Yeah, you're only able to really do so much from a perspective of security because there's always that balance of usability versus security that you're constantly dealing with. Because I mean, you can, the most secure server in the world is a server that no one can connect to. Yeah. Is it really help, you know? Yeah, yep, yep. And that's the example, right? That's always the example. People, when they talk about the trade off between security and convenience or usability, they always go, yeah, the most secure computer is one that's off and can't be turned on or that is not connected to a network or something like that. And obviously, that extreme is useful to point out when introducing the idea to folks of that it's a trade off, right? But it's really hard to actually look at and decide when to make those trade offs. When you're talking about real things that people use and real servers that have vulnerabilities, right? Because it's not like the work of securing a system, at least from my viewpoint of, which is I'm kind of outside looking at this stuff, is not saying, well, we will patch, we will make sure that there are no vulnerabilities and no possible compromises. That's basically impossible to do, even with known things. And that's disregarding the fact that there are also unknown things, vulnerabilities and compromises. So it's trade off and saying, these are the most important things that we need to implement now to make sure that we're safe. And these are things that we have to live with and we'll continue evaluating on a regular basis. Yeah, that's always the battle really. A lot of people look at security and the first thing they think is, oh, this guy's gonna make my server you're completely 100% secure. And I mean, practically that doesn't exist. It just, you can't. So it's the concept of reasonable security, right? Like, yeah, we need to make this secure and good. And that doesn't mean that it could never be compromised in any way. It just doesn't, unfortunately. The best security is constant, or not, I guess I shouldn't say constant, but at least regular checks where you're at least, you're checking and you're checking data and you're analyzing and you're constantly updating. That's way better security than just unplugging something. Well, especially because humans are involved in that, right? If you eliminate a server, this was a thing that came up a lot when I worked in IT at a college, which was sort of like, if we want to have a service that we currently provide as an institution, but we're uncomfortable with that security-wise, we most of the time have to come up with an alternative so people can do the thing that they were trying to do before. Otherwise, they'll just go do it on their own and it will be even worse. And we've accomplished nothing other than removing ourselves from the equation. And that's usually not good, right? We're paid to be the folks in the room who can try and make this a good, secure thing to do. So it's also a compromise in that sense too, right? Like you don't want to drive away or completely eliminate the use case. You need to have alternatives and say, all right, we can't do it this way anymore. Let's try doing it this way. Maybe there are downsides, but the upsides are huge in that we can all sleep easier and hopefully not have a compromise. Yeah, I think that's one of the major things I fall back on with my help desk experience. And that's why I think anybody in IT, anybody and everybody should go through at least a year of help desk as you really learn how can I make this work in a way that doesn't break everything because no isn't really an option. So that's one of the things I took away a lot from my help desk experience is this, I mean, it's got to be done. You just got to figure out how to do it. And that really helps. It often takes creativity, right? It's often not a brute force. It's taking a step backwards, even sometimes from the technology and saying like, what are we doing? What is the end user trying to do? And maybe there's a completely different path that we need to walk down that is not related to this particular tool or system to help them accomplish that. And honestly, that comes up not in security too. Like that I feel we do a lot here at Reclaim, honestly, is kind of help people think through some of those things. But yeah, it's important. Sorry, that was a huge side tangent, but one I love to talk about. So yeah. So actually speaking of some of that, I can go through risk management, which is kind of exactly what we were just talking about. Threat detection and response is all about managing risk because this is where your vulnerabilities are. So if I pull up vulnerabilities, it may not have any sample data here because there's no agents unless I look at the events. Let me see. Okay, yeah. This is a little bit. So usually in this case, you would have an inventory of agents and it would show things in a lot prettier dashboard. Since we do not have any sample agents, we just gonna look at the events. Look at the events. Yeah. This actually comes down to CVEs and vulnerabilities, categorization, and stuff like that. It's a lot of information, but it's all really good information. And what this really is, is it's scanning your server for known holes that have been updated by NIST or Bounty Hunters or whoever applied and the CVE was recognized by the third party. Once it is recognized, it's sent to a database. The database is updated regularly on Wazoo and then when it scans, it checks. CVEs are a standard, right? I've only recently been learning about this, but there's only certain people that can externally validate or I don't know what the right term is, but there's a process. It's not just like I can post a blog post on my website and say, CVE and give it a number. Well, I guess I can do that, but no one will pay attention to it, so. Yeah, they will and they'll get immediately phished. I can't wait for this to go around, but the, yeah. So organizations like Ubuntu and stuff like that or Canonical I guess can, they can put out like a CVE alert, but it'll be interim until it's approved by a validated third party, usually that's NIST, which is the National Institute of Standards and Technology. I don't actually know if there's a European agency that does it or if they just all rely on NIST. I'm sure they probably don't. There's gotta be some alternative, right? There's no way that the world is like, well, maybe they have an alternative system too. Maybe in other parts of the world, the CVE moniker is less used, but it does seem pretty universal from what I see. So you mentioned there are probably other alternative agencies too, maybe, but cool. Yeah, CVEs, they're like exactly like you said, Taylor. They're a standard of basically someone has found that there is a exploit that is possible in something and then it is applied a CVE code so that it is unique and then it is applied a severity, well, which is like medium-high, super-high, we'll get critical. And you can kind of decide based on that severity what you need to do first, which is a big part of risk management. So if there's a low risk vulnerability and a critical risk vulnerability, you probably want to do the critical one first if there's a patch for it. If there's not, you wanna kind of mitigate it or do something other or avoid it or somehow you want to get around it. There's a couple different ways. But yeah, you can see all the CVEs here and these are all real CVEs. It's just, it's sample data, but the CVEs are real. In the actual dashboard, if it was around, I could open these up and actually it might be in here. Yeah, I wanted to mention Meredith did some live Googling and it looks like there's an organization in the European Union called INISA that is an equivalent to NIST that. I didn't know that. It's just interesting. And I'm sure other regions have their own too. Thank you, Meredith. Yeah, so there's vulnerability references right here. That's, this is kind of a big deal when it comes to actually looking at vulnerabilities. So this is what I was talking about. You can see like open wall, open soos, patchy, NIST, a canonical right here, NIST right here. These are all links to the actual CVE listing. Usually I'll go to the NIST one first, but you would want to click on these and usually they would have steps to mitigate. And if there aren't any and it's still being reviewed or still trying to be patched, it would at least have a general, give you a general idea on how to avoid it or mitigate it. Yeah, like turn this service off or something like that. Yeah, just like disable it or go around it or something. Yeah, so that's vulnerability management. This is a really strong part of Wazel because it's doing it constantly and it's something I use all the time. It's really, really impressive for open source software. Another kind of threat detection response category is Mitra attack. Mitra Mitra Mitre, people say it, but I think it's actually Mitre. I have no idea, so I'm just gonna keep saying Mitra. Mitre saw attack, that's something. It's something like that. But basically this is a framework of different events and tactics or I guess not events, but exploits and tactics and techniques from the real world that have been observed that have then been put in Mitra or Mitre. You can use this to kind of research what could possibly happen, what is going on and use it to increase your network defense or build a stronger network, build a stronger infrastructure. I don't use Mitre as much as I probably should mostly because I feel like it's built for wizards. But if you look at it, it's pretty complicated. There's quite a lot of information within this whole intelligence deal. I mean, it goes all the way down to what groups are doing, what certain things, like admin at 338 is a China-based cyber threat group that does this, this and this with this, this and this. This is their basic patterns of how they do it. If you see this, it's probably that. This is what you do. It's a whole bunch of information and it's really useful for a large security team, but for someone like me who is, or the infrastructure team, it's really, it's kind of outside of our use case. I'm hoping to include it more in the future, but it is there and it is a really good resource. Yeah, it looks like it's interesting in that I'm just kind of looking at it and it looks like it's trying to be less directly tying things to CVEs and technical information and more recognizing patterns and sort of trying to help you make sense of larger patterns or even make connections between things into a pattern, which is admirable, probably extremely complicated, but yeah, so that's cool. I think Microsoft is actually coming out with a new co-pilot thing that's specifically built for security that uses a lot of MITRE attack. That actually seems like an interesting and good use case for large language models, right? Because you could have it chew on data like this and try and make connections and then you as a human can be like, that makes sense or that does not make sense. Exactly, what is a language model good for? Patterns is exactly what it is. Yeah. Yeah, so that's kind of the threat detection response part of Wazoo. I skipped over integrity monitoring. That's, there's really not too much to look at there. It's really just, again, like I said, a list of file changes and permission changes. It's pretty much exactly like security events just for files and specific. For auditing and policy monitoring, this one's really cool. You can actually set up a security policy baseline and have your system follow it and it'll monitor the policies and if things get out of whack, according to your baseline, that's a professional term, by the way. It'll check that and see if things are going wrong and then you can look and fix stuff and fix your configuration and again, out of whack, professional term. One question I have that kind of the policy monitoring makes me think of is going, taking a step back to agents for a second. So the agent is the software you're putting on each server or device. What does it look like configuring that? Is it smart enough to be like, oh, this is Ubuntu and we generally know what logs should be where or do you spend a lot of time setting that up on each of our servers or how does that kind of look? Yeah, so great question. There's actually, if I can remember where it is in here, I think it's under configuration. Yeah, so this may not be as robust as ours is because it's in still in sample mode, but within the configuration, it's just like a YAML file where you can set general config for agents. I'll have to find it. Well, it's- So we probably have configs for types of servers then and say this is for our C-Panel stuff on this OS. Exactly, however, there is when, so the different OSs are already included in base Wazoo config. So just deploying an agent, it's already checking syslog and all the other important log locations by default. It's already pulling all that information without any touching from the user end except for installing the agent. That's awesome. It's only if you want like custom direct version, custom stuff, like we have a couple of custom log direct version we're pulling from custom scripts that we like to track through our agent. So I have those added in the config. It's just, you can kind of, it's really freeform to do what you want with it, but there is that base setup you can always rely on. Does, is it possible to use Wazoo for like custom but general purpose log? Like let's say I wanted to use Wazoo, let's say I worked at a web hosting company and I wanted to find out information about like, that isn't necessarily a security related. Like what if we wanted to give customers a number of like, this many domain of one's own accounts were created in the year 2024 and say I had a log that could actually even give me that, which maybe I'm kind of spit balling here. Is that possible or is this only, are these dashboards and things mostly like, no, no, no, you're looking at logs that we know about basically, or can you do like custom log stuff? You can do custom logs. If you have a script that is writing a custom log to a file or to a directory, you can just put that custom directory into your log management for your agent and it'll pull it. And then once you have it being pulled into Wazoo, you'd have to have it do something with that of course, but yeah, that's really interesting too, because there's like the idea of like a data warehouse, which is similar to this, but is often in the realm of really expensive, you know, enterprise software too, was something that I was looking at in a previous job for different things. And we ultimately came to the conclusion that this was too big of a project and too expensive to do, but like it would be interesting to use something and there are probably other open source data warehouses, but the idea of Wazoo, which is honestly a really excellent interface already, like that's the thing I'm looking at this is like, this seems like given what it's doing, which is extremely complex, this is a very usable tool, you know. So sorry, just these are things I think about. It actually led to a great reminder for me. So you can generate reports within Wazoo, it's great for reporting actually. I just generated a report based up integrity monitoring and you can download this PDF, I'm not gonna do it right now, but you can. And it'll be custom formatted with, you can set it up with your logo and stuff to automatically generate these reports with human readable data, so it'll take that JSON input or output and it'll turn it into human readable, so it'll kind of pre-defy it or pre-defy it and put that into kind of a table and then it'll just put that in the report for you and send it to you as a PDF. You can have these regularly sent to your email for any type of reporting you want. I don't have it set up for our purposes on that, that's one of the things I'm working on still, but it is certainly possible and it is really impressive. If you want a constant report on all your SSH access on all your servers, you can have that sent to you as a report weekly, monthly, daily, even if you want, do it every five minutes. It depends on what you want to do. If you don't value sanity, get an email every five minutes. Yeah, it's a really, really robust reporting system and it can drive you crazy if you're not careful. Speaking of reporting, they're inside the policy monitoring I was talking about, there's also system auditing and security, configuration and assessment, which both of these would probably want to have, you'd want to have reporting on them, especially auditing because this audits user behaviors, command execution, access to critical files, so like a critical directory on a Linux server, I don't know, root, that's pretty critical. If somebody accesses root and is not supposed to, it would immediately send you an alert inside that system on it and you would have to set it up to go to your email or Slack to want a different integration, which is possible. I have our alerts going in the Slack. There's a bunch of different integrations you can do with Wazoo, it's a REST API, you can do whatever you want with it. Sure. The, as well as... Yeah, you could do messes on posts. Yeah, actually good. So someone, let's do a mess on posts every time a vulnerability is found. That would be great. I don't know if I could, I don't even think that. I'm giving Noah panic attacks live on stream, so that's cool. Live on stream. You can see what security does to me live. But there's also security, configuration, assessments, and this is your CIS assessments. So CIS controls are kind of, they're a pretty important part of general security and you can run an assessment against the CIS control. Again, we don't really have one. I wonder if there's any in the events. So there are some here, but there's not the pretty dashboard, which is unfortunate, but it's not a huge deal. They basically will give you a score against the CIS baseline and tell you what's wrong and you can go in and make those changes. It's really easy to view, really easy information, and it's very impressive. So that's kind of the auditing and policy monitoring component. And the final component of Wazoo is regulatory compliance. This is where I have lived for the past probably year, because this tracks your compliance with a framework, a regulatory framework like NIST or GDPR, HIPAA, TSC, PCI DSS, depending on what you do, you could do multiple, if you do, God help you. One of them is enough, I think, at least for me. Well, you can imagine, right? Like if you are PCI's payment-related, right? Yes, payment-related. Let's say you are a health insurance company. You may need to be PCI, HIPAA, maybe you operate in the European Union, you need to be GDPR and possibly NIST too. I don't know. But yeah. You may need all five, and if you do, I feel awful for you, you know. But looking at NIST, this is what I've been using constantly to track our compliance with certain controls throughout our TXRAM process, because we are actually coming compliant with TXRAM, which uses NIST controls. So this has been like bread and butter for me. It is really, really, really helpful. You can sort it by control. This is access control. There's system and services acquisition, configuration management, and these are direct NIST controls. If you know NIST, these are the actual control groupings. And then within those are the controls themselves, like CM3 and AU5 and all these controls. You can view the details. You can view what events fall under the controls. It gives you a description of it. It's really, really handy. It's not tracking all NIST controls because some NIST controls are logical. Some are business controls, some are operational controls, but the technical controls that it can track, it does. It is really, really helpful. It even gives you the other controls that go with this control. So this is AC7, but AU14 also goes with this. So this applies to both. It's just really, really handy. I can't talk enough about it. It's got these handy graphs, which still scare me. It's just really, it's really impressive. I can't say enough about it. It's interesting too. So what I'm kind of realizing is a lot of what this tool can do is what I've seen IT departments pay a security consulting firm to do for over them for like a month. And they'll say like, all right, they're gonna do like penetration testing and all kinds of vulnerability scanning and all these things. And then they're gonna generate a report and have someone work with you and talk you through what they recommend and things like that. And obviously that's, this isn't like a complete replacement for a suite of humans. You pay a lot of money, right? Obviously, but it can do a lot of that stuff and it's doing it all the time. It's free. Yeah, and it's free. Use the software, the server, the cell phone isn't, but yeah. Yeah, which is, as you're talking about linking back like frequent monitoring, frequent reevaluation, that's the key to this stuff in a lot of ways. So having something like this, maybe in addition to a consultant you might bring in if you need one or maybe you need to ask less of that consultant, right? Maybe you're like, we're not so worried about these things but we're worried about other things. This could be honestly, not only a big money save but also obviously a huge security upgrade. So I'm for sure. Paying the server cost as well for the high probably intensity resources this would use is nothing compared to what you would pay for a consultant or a full security team. I mean, nothing. You would preferably want a couple of people that would be in this. So I mean, you would still be paying for security employees on top of this. This is not a replacement for humans by any means but like you said, but it is certainly very helpful. It can cut down on a lot. And this actually is gonna bring me into another software I wanna talk about which is Shuffle. I'll get to that in a second. This is the basic building block of a SOC which is a security operations center. You have these in larger corporations that are usually there's teams assigned to them that all their entire job is just to do like SIM management and checking on your SOAR and looking at your logs and all this other stuff. Like they're just their day to day would revolve specifically around this tool. So that was one of the first things I did when I got to reclaim was get a SIM set up for us which has been very helpful. Another component of a SOC which kind of I would say completes it there is more to it that you can do but on a basic level to have a basic SOC you would wanna SIM and a SOAR and a SOAR is a security orchestration and automated response I'm pretty sure. And that's exactly what Shuffle is which I just pulled up. This will fortunately we couldn't get a demo running for Shuffle but I will go over the website a little bit and talk about its use cases and show off some of the stuff it can do as far as the website will let me. So what you would do with a SOAR and again usually SOAR is an enterprise software that comes with a lot of built-in endpoints for specific security tools. A lot of times it'll even be custom tailored by the provider for the tools you already use. So developers will go in and custom develop a lot of integrations and then that would be passed over to you and you're gonna pay a lot of money for that. With something like this, it's free. Again, you can self host it as you're just paying for the server costs but you do have to build those integrations. There's always kind of a trade off there but if you are comfortable with doing that you could save quite a bit of money and still have a very robust security operations center. And also be probably less, some of the more proprietary things are gonna have limitations in terms of what you can get data from and where you can send it to, right? But it's like, if this is part of your, say your firewall or something, like you've got like a, I don't know, I'm sure like Fortigate has one of these, right? Like that they'll sell you. It will probably work really great with their stuff but when you want to have information come into it from some other tool that may not even be possible or you'll have to build it yourself and now you're building custom integration with something that you're paying thousands of dollars for versus building a custom integration for something that's free and open source and you have that control over probably in the long term. Yeah, for sure. And a lot of these big companies, like you said, they sell you these softwares and packages and they're always under really cool names like super threat hunter extreme where it's like, you know, it's, I don't know what in the world they're thinking about, but... That's an either an arcade game or a sock. Yeah, exactly. But there's given you these massive packages that you're paying a ton of money for that includes a bunch of proprietary tools from the single company that would all work together and that would make up your security ecosystem, at least most of it. So you can offload your risk to there and do that or you can rely on more of an open source kind of deal like this. So what this does is it's just basically a web UI that correlates other REST APIs together and does things with them. You can see right here, there's five different types of use cases. There's collecting, enriching, detecting, responding and verifying. Some of the collection ones are right here. There's email management, threat intelligence, IDS IPS alerts, which I talked about earlier, firewall alerts, SIM to tickets. You can actually take your SIM stuff and automatically generate a ticket in your ticket system all through a REST API. Sorry, on a basic level, this tool and tools like it are taking information from elsewhere and putting it someplace you can see it or do something about it, right? Like that's kind of what it's supposed to do. We were talking about when you were kind of talking about the stream, I said, oh, it sounds kind of like Zapier, but for security stuff. And you can self-host it, of course. And so if you haven't or some folks may be familiar with if this, then that. That's an IFTT is another thing like that. But this is probably more powerful and certainly more security focused. So I'm trying to see if I can find a quick template. Here we go. Let's see if I can actually view the template, just maybe. Not sure, but basically this is a node-based system. Oh, here we go. This is a little example of it. You would have your different apps that you've created. So basically you're just plugging the REST API endpoint into shuffle and it's saying, okay, this is our general endpoint. We're pulling information from. And then when you put these nodes in, it'll let you customize it a little bit more. But so it's just a node-based connection of REST APIs that do different things based on different conditions, just like Taylor said. So when a message, when an email comes in from Gmail from Ben, and it does email analysis, it'll go into whatever this tool is, I'm not sure what that is, and Slack. Here's another web. So this is using Outlook, Elk, Wazoo actually has a direct integration with Wazoo, which is really cool, Slack, Gmail, whatever these two are. And there's built-in apps already, like Wazoo and Outlook and Slack. Those are already built in, you just plug your details in. You can also, if you have a REST API that's not built into this app to shuffle already, you can add it with the app creator. But yeah, it's just kind of plugging stuff together to do different things. So a really cool use case for this would be, if I had a security event come in that was like a level 15, which is the highest level there is, that means a hack has been detected, or a exploit that is critical has been detected. And it is, for sure not a false positive. Like level 15s come in when there is something wrong. Something has happened, and it is not okay. So if I'm using a SOAR, I can say, okay, when that comes in, I want it to send that alert to Slack to my email. I want to automatically run antivirus scans on the server, and I want to automatically use the firewall to quarantine the server and block everything, except for maybe certain IPs that have been pre-logged. So I could get in and continue working on the server instead of shutting everything off. Or even, I don't know, shut the server down, which you probably don't want to do, but in general, that's a use case. You can do different things based on certain events. That's what a SOAR is really for. And again, it's just, it's really cool that there's these open source softwares like this. The only one I've ever seen like Shuffle, is I can't remember if it was made by the government or not, I think it is by the government, but it's Walk Off, which I've never used. But that's another sort of open source SOAR that's created for this kind of purpose. I like Shuffle a lot better, just cause it's got a really nice looking web UI and it's really easy to use for someone who doesn't really like working with APIs a ton like me. I mean, I love APIs, I think they're really cool, but they can be kind of a pain sometimes. So it's cool to just have it in a GUI where someone who doesn't like to do that can do that really quickly. Yeah, so that's Shuffle and that's Wazoo. And I think they're both really, really cool tools. Yeah, that's really cool. Shuffle is completely new to me. I hadn't really heard of that at all before. And I'm starting to get the picture, right? Cause at first I'm sort of like, okay, so it's like better notification management. It's like, no, no, no, no, you can act on things automatically too. And that is really interesting and super powerful. Yeah, I'm really interested in that like, well, as a company, I guess we've already talked about, we're using Wazoo, you've set it up and we've had it around for a while now. And Shuffle is something we're just getting into, right? Or do we have a setup of Shuffle already or? Shuffle, I did a demo of Shuffle and we were right in the middle of getting Wazoo set up. So we didn't actually start using it, but still on the list after we had Shuffle. Yeah, it's something we want to implement basically. Yeah, so I could see, yeah, that could be super interesting because what a lot of folks probably don't think about especially in the case of servers that are always on, that's the whole point of them, is that us getting notified, we're pretty fast to act on notifications, but honestly that's not good enough a lot sometimes. And there are definitely, yeah, there are definitely cases where if we could have some basic things that happen, again, at certain security levels would make our lives easier in terms of fixing it after the fact and say, hey, because of this tool shutting off network access in these ways or something like that, this was only able to affect this one particular user account and we'll need to, that's not a great example I just put together, but instead of us having to maybe, which can happen, having to take down a server for a longer period of time while we clean up an infection or something that is further. And that's specifically because most malware things are not spread manually, right? Like they basically, once something is exploited, it will, as soon as the server does anything, you know, be it, even if you turn it off, like you mentioned, that there are definitely, we've definitely seen malware that will on the boot of the machine basically try to do other things and reestablish itself. So fighting the speed of machines with other machines can be really beneficial in huge time-saving ways. So that's super interesting to see. Yeah, and it's even like kind of outside of the security system or ecosystem, you can do a lot. So like when an email comes in from Gmail to a certain account, if it contains this information, create a ticket in Zendesk. Like there's a bunch of different stuff you can do with it, even outside of like quarantine response and stuff like that. It's really, really cool. And I would say give it a try, even if you don't want to use it for security. If you just want to use it for a general automated response or orchestration system, it's perfectly available to do that. It's really strong. It's really cool. Awesome. Well, you know, we're a close to the end of time here, but before we kind of completely wrap things up, is there, I mean, is there kind of closing thoughts you have on like sort of things you'd like to see, maybe us as a company look at next or advice for other folks who are trying to, you know, either establish tools like this, find open source ones or, yeah, I don't know. Anything there? My advice would be, is, that's gonna sound kind of funny, but take the advice of these tools with a grain of salt. It really depends on your ecosystem and what you need. So, Wazoo is not a be-all end-all. There, if you think a enterprise SIM will be better for your company and you're willing to take that cost, you should. You know, this is not to say this is any better than any other software, depending just because it's open source. So, my best advice would be just really look at your infrastructure, look at your ecosystem and make the best decisions for it in specific and not based on like some, whether something's open source or whether something's like this in specific. Yeah, that would just be the best thing I could say. Yeah, I mean, a lot of the tools we've landed on are a result of us doing that exact process, right? It's not that we aren't willing to spend money on the tool and in fact, we are, right? Because we host, we have to pay for server costs for that stuff, but you know, for a company like ours where we don't own data centers. Like we don't have technicians on the ground who are like plugging cables into servers. You know, and therefore we don't actually have a lot of like packages of enterprise gear that may come bundled with software that would be advantage, you know, advantageous. We kind of need our stuff to be as flexible as possible. And we are kind of starting from zero in terms of security vendor relationships anyway. You know, so I think this is a natural thing for us to want to take advantage of and also like we're pretty comfortable hosting things. So like that complication, not really that big of a deal for us. So yeah, that's a very good point, is that these are extremely individualized, you know, solutions that you have to come up with through your business or IT unit or whatever it is, so. Yep, absolutely. Cool, well, thanks so much for hopping on the Friday stream. I am, it was really interesting for me kind of hearings about this stuff. I hope it was interesting for other folks too. And you know, we'll definitely have to have you on again. And you're now the first infrastructure team member on one of these informal Friday streams. So I get to, so now we've got all of the teams that reclaim have been represented on one of these now. So between EdTech, sales support and infrastructure. So that's kind of fun for me. Anyway, this is great and thanks and we'll chat with you another time. So cool, sounds good. See you everybody.