Proofpoint | ObserveIT On-Premises Insider Threat Management

Detecting Exfiltration to a USB Device

ObserveIT can detect files copied or downloaded to connected USB devices. ObserveIT detects file exfiltration to USB storage devices, smart phones, SD cards, tablets and some encrypted USB devices.

This feature is supported on Windows and Mac systems.

USB Device White Lists

The detection mechanism enables you to distinguish between:

• White listed status:  Authorized devices, such as corporate devices

• Unlisted status: Unauthorized devices, such as personal devices

You can create a list of white listed USB devices to use when setting up alerts and reports.

Use the ObserveIT lists (see Implementing Lists in ObserveIT). Select White listed USB devices from the lists (see and Managing Lists). For more information, see Maintaining a White List in the List page.

USB Device Identifiers

ObserveIT uses the device serial number to identify the USB device. In addition, model name, device ID, vendor name, and label name can be used to identify USB devices.

USB Device Features

Using the USB devices status and its identifiers, you can:

• Set up alerts for files copied or downloaded to USB devices: Set up alerts when files are exfiltrated to white listed or unlisted USB devices. See Exfiltrated File - Did What.

• Set up alerts for USB devices: Set up alerts when any USB device is connected or specify alerts when white listed USB devices or unlisted USB are connected. You can also specify an alert trigger by a USB device serial number, model name, vendor name, USB Device ID or label name. See USB Device Available.

• View the history of USB devices: Monitor connected USB devices. The view includes the USB device status, details, and events. See USB History.

• Create reports with USB devices details: Include columns for USB Serial Number, Device Model, Device Vendor, Device Label, Device Currently white listed. See File Activity Report Configuration.

• Ignore devices:  Ignore a USB device, usually for a specified time period. This option is useful when backing up to a USB device. With this option, ObserveIT does not monitor and list all the backup events.

Viewing Results in the Web Console Diaries

You can view USB device activity from the Summary and Timeline views in the Endpoint Diary and User Diary. USB details (device serial number, model name, vendor name, and label name) and details of the activities performed on the USB device are displayed.