Detecting the Insertion of an External Device

You can monitor activities involving the insertion of a disk-on-key, other portable USB device, including a mobile phone or Thunderbolt connector, which might potentially lead to the copying and exfiltration of sensitive data out of an organization

An external storage device is detected when a user:

  • connects any external device (including mobile phones and Thunderbolt), the device description (i.e. model and manufacturer) and the mapped drive letter are immediately captured.

  • restarts a computer with an already connected external device. The device does not need to reinserted to be detected.

  • no user is logged in and a device is already connected, the device is detected.

As long as a device is inserted, alerts are triggered. If a user logs off and the device remains connected, alerts are generated and appear in the alerts lists when the user logs back on.

The detection mechanism enables security and risk administrators to:

  • Receive an immediate alert (and email notification) upon any insertion of an external device, allowing analysts to respond quickly.

  • Search for all insertion operations of a specific user.

  • Play a video that captured the end-user activity before and after the insertion of the external storage, in order to better understand the end-user’s real intentions.

  • Generate detailed reports on all insertion operations for audit and compliance requirements.

Upon insertion of the external device, a single virtual screenshot is created with a window title prefixed by USBCONNECT followed by the device model and manufacturer (for mobile devices), the drive letter (for non-mobile devices), and with a friendly user-defined name if configured for the device.

For example, if a disk-on-key or iPhone was inserted into a computer's USB port, the following window titles would be created:



Viewing Results in the Web Console Diaries

The following example shows how the detection of user actions to insert USB external storage devices are displayed in the Endpoint Diary within the ITM On-Prem Web Console.