Detecting data theft with Wazuh, the open-source XDR

 Data theft is the act of stealing data stored in business databases, endpoints, and servers. The stolen data can include credentials, credit card numbers, personal identifiable information, medical records, software code, and proprietary technologies. Data theft occurs both inside and outside an organization.

Malicious actors can steal data from organizations or individuals to sell it to other malicious actors. Data theft is a major risk for many organizations because it can result in identity theft, reputation damage, and financial loss.

Common causes of data theft

Threat actors steal data from organizations using various techniques. The common causes of data theft are as follows:

  • Software vulnerabilities and misconfigurations: Poorly written software or outdated software can have vulnerabilities that malicious actors can exploit to steal data. Misconfiguration occurs when security settings are not properly defined during the configuration process.

    Misconfigurations can include default passwords, usernames, and insecure protocols, ports, and services. Malicious actors can steal sensitive information from an organization’s servers that are not adequately configured.
  • Malware downloads: An organization’s employee can accidentally download malware to their device by visiting a compromised website. This malware can allow a malicious actor to steal data from the infected device.
  • Insider threat: Employees can pose a serious threat to an organization since they have authorized access to the organization's sensitive data. A disgruntled employee can steal or sell such data for financial gain. Insider threats can come from current or former employees, contractors, and partners who have access to sensitive data of an organization.

Consequences of data theft to organizations

Organizations that are data theft victims can suffer the following consequences:

  • Loss of customers: Customers of an organization can suffer financial loss or sensitive data exposure due to data theft. This usually discourages the customers or users from continuing business with the affected organization.
  • Lawsuits from customers: Customers whose data has been mishandled by an organization can take legal action against such organizations.
  • High recovery costs: Organizations spend a lot of money patching systems and recovering data after suffering from data theft.
  • Regulatory fines: Depending on the industry, an organization can face hefty fines from regulatory bodies for non-compliant with their security mandates.
  • Disruption to business operations: An organization can experience disruption to their business operations following a data theft on their mission-critical systems.

How Wazuh detects data theft

Wazuh is a free and open source enterprise-ready security solution that provides unified SIEM and XDR protection across several workloads.

It provides a centralized view for threat detection and security monitoring across virtualized, on-premises, cloud-based, and containerized environments.

Wazuh offers several capabilities organizations can implement to prevent, detect and respond to security threats. The sections below highlight several Wazuh capabilities that offer protection against data theft.

File integrity monitoring

The File Integrity Monitoring (FIM) module monitors an endpoint’s files and directories. It triggers an alert when there is a file creation, modification, or deletion.

The Wazuh FIM module stores the cryptographic checksum and other attributes of files and Windows registry keys to detect when there is a change in those values. Monitoring of files, directories, and Windows registries is done periodically or in near real-time.

Malicious actors use malware to steal data from endpoints. This malware creates or downloads malicious files on the infected endpoints. The Wazuh FIM module detects when these files are created or downloaded on the infected endpoints.

For example, in this blog post, the Wazuh FIM module detects files created and downloaded by STRRAT malware. Figure 3 below shows the detection of STRRAT malware with the Wazuh FIM module.

Wazuh FIM module detects STRRAT malware
Fig. 1. Wazuh FIM module detects STRRAT malware.

Vulnerability detection

Vulnerability detection is the process of identifying security weaknesses in the operating system and applications installed on monitored endpoints. Wazuh uses the Vulnerability Detector module to detect vulnerabilities on monitored endpoints.

Wazuh builds a global vulnerability database from publicly available Common Vulnerabilities and Exposures (CVE) repositories. Wazuh then uses this database to cross-correlate the application inventory data collected from monitored endpoints to detect vulnerable software.

The Wazuh Vulnerability Detector module can discover unpatched vulnerabilities on endpoints that malicious actors can exploit to steal data.

Wazuh dashboard showing the vulnerability report of a monitored endpoint.
Fig. 2. Wazuh dashboard showing the vulnerability report of a monitored endpoint.

Security Configuration Assessment (SCA)

Security configuration assessment is the process of scanning monitored endpoints to discover misconfigurations that can expose such endpoints to cyber attacks.

SCA continuously improves system configuration posture by adopting standards such as the Center of Internet Security (CIS), NIST, PCI-DSS, HIPAA, and many more.

Wazuh SCA module performs regular scans on monitored endpoints to discover sensitive data exposures or misconfigurations. These scans assess the configuration of the endpoint or applications on the endpoint using policy files that contain rules to be tested against the actual configuration of the endpoint.

Wazuh SCA can discover unnecessary services, default credentials, insecure protocols, and ports on monitored endpoints that malicious actors can exploit to steal data.

SCA scan result shows that netcat is running on a macOS endpoint.
Fig. 3. SCA scan result shows that netcat is running on a macOS endpoint.

Log data analysis

Log data analysis is the process of reviewing logs generated from devices to detect cyber threats and identify security bugs and risks.

Wazuh collects security logs generated from several endpoints and uses decoders and rules to analyze them.

Disgruntled employees or malicious actors can use USB drives to steal sensitive data from an organization’s endpoint. Wazuh collects and analyzes the event logs generated when a USB drive is inserted into an endpoint.

In this blog post, Wazuh detects unauthorized and authorized USB drives using a constant database (CDB) list of authorized USB drives.

Unauthorized USB drive event​​​​​​​
Fig. 4. Unauthorized USB drive event


Organizations face the risk of data theft if they fail to implement effective security controls. The impact of data theft can be highly devastating to organizations. Hence, organizations can leverage various capabilities of Wazuh to detect data theft effectively.

Wazuh is a free and open source XDR solution with several modules for cyber threat detection and response.

Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.