Detecting the Insertion of a USB Device

ObserveIT enables you to monitor activities involving the insertion of a disk-on-key or other portable USB device, including a mobile phone, into a computer, which might potentially lead to the copying and exfiltration of sensitive data out of an organization.

A USB-based external storage device is detected when a user:

connects any USB device (including mobile phones), ObserveIT immediately captures the device description (i.e. model and manufacturer) and the mapped drive letter.
restarts a computer with an already connected USB device. The USB device not need to reinserted to be detected.
no user is logged in and a device is already connected, the device is detected.

As long as a USB device is inserted, alerts are triggered. If a user logs off and the USB device remains connected, alerts are generated and appear in the alerts lists when the user logs back on.

The detection mechanism enables security and risk administrators to:

Receive an immediate alert (and email notification) upon any insertion of a USB device, allowing analysts to respond quickly.
Search for all USB insertion operations of a specific user.
Play a video that captured the end-user activity before and after the insertion of the USB external storage, in order to better understand the end-user’s real intentions.
Generate detailed reports on all USB insertion operations for audit and compliance requirements.

Upon insertion of the USB device, a single virtual screenshot is created with a window title prefixed by USBCONNECT followed by the device model and manufacturer (for mobile devices), the drive letter (for non-mobile devices), and with a friendly user-defined name if configured for the device.

For example, if a disk-on-key or iPhone was inserted into a computer's USB port, the following window titles would be created:

USBCONNECT – E:\ (JOHN DOE)

USBCONNECT – A0001, OnePlus (JOHN PHONE)

Viewing Results in the Web Console Diaries

The following example shows how the detection of user actions to insert USB external storage devices are displayed in the Endpoint Diary within the ObserveIT Web Console.