Unexpected USB drive activity

The Network: Midwest US banking institution, hundreds of servers and thousands of workstations

The Expectation: All USB storage devices are disabled across all machines by Group Policy

The Catch: EventTracker USB insert/remove feature of its Windows Sensor was enabled. Within a few days of installation, a routine report on USB activity, which was expected to be empty indicated that two machines showed staff inserting USB sticks and copying data to them.

The Find: Seems the two machines had somehow not processed the Group Policy, leaving a gap in coverage.

The Fix: Force GPO processing on the machines

The Lesson: Trust but verify. EventTracker SIEM provides comprehensive visibility into actions by both internal users and external threat actors. The EventTracker SOC’s 24/7 monitoring quickly detects security gaps and reduces the time potential adversaries spend in your organization, greatly minimizing dwell time and the loss of sensitive data as well as the bank’s hard-earned brand reputation.