Monitoring Data Transfers to Removable Devices using eBPF

Product Category

Data Loss Prevention (DLP)

Objective

Use eBPF to monitor and control data transfers to removable devices, such as USB drives and external hard disks, on Linux systems.

Details

System Calls Monitored:Monitor system calls related to file operations on removable devices (e.g., write, read, open).

Data Captured:

  • Timestamp of data transfer
  • User initiating the data transfer
  • File details (name, size, type)
  • Device details (name, type, serial number)
Use Case

This implementation aids in preventing data exfiltration via removable devices by monitoring and controlling data transfers. Organizations can enforce DLP policies to block or log data transfers that violate security policies, ensuring sensitive data is not copied to unauthorized devices.