Detecting the Insertion of an External Device

You can monitor activities involving the insertion of a disk-on-key, other portable USB devices or Thunderbolt device, which might potentially lead to the copying and exfiltration of sensitive data out of an organization.

An external storage device is detected when a user:

connects any device, the device description (i.e. model and manufacturer) and the mapped drive letter is immediately captured.
restarts a computer with an already connected device. The device not need to reinserted to be detected.
no user is logged in and a device is already connected, the device is detected.

As long as an external device is inserted, alerts are triggered. If a user logs off and the device remains connected, alerts are generated and appear in the alerts lists when the user logs back on.

The detection mechanism enables security and risk administrators to:

Receive an immediate alert (and email notification) upon any insertion of a device, allowing analysts to respond quickly.
Search for all insertion operations of a specific user.
Play a video that captured the end-user activity before and after the insertion of the external storage, in order to better understand the end-user’s real intentions.
Generate detailed reports on all insertion operations for audit and compliance requirements.

Upon insertion of the device, a single virtual screenshot is created with a window title prefixed by USBCONNECT followed by the device model and manufacturer (for mobile devices), the drive letter (for non-mobile devices), and with a friendly user-defined name if configured for the device.

For example, if a disk-on-key or iPhone was inserted into a computer's USB port, the following window titles would be created:

USBCONNECT – E:\ (JOHN DOE)

USBCONNECT – A0001, OnePlus (JOHN PHONE)

Viewing Results in the Web Console Diaries

The following example shows how the detection of user actions to insert USB external storage devices are displayed in the Endpoint Diary within the ITM On-Prem Web Console.