DeviceLock provides the ability to monitor end user actions by video recording the user’s computer screen, as well as recording all keystrokes and information about the applications that were used on the computer during recording. With this kind of monitoring, DeviceLock helps expand the evidence base in the investigation of information security incidents, simplifies identifying suspicious user behavior, reveals misuse of access privileges or data protection policies, and therefore proactively mitigates possible risks of data leaks.

To implement user activity monitoring, the DeviceLock Service records the user’s on-screen actions in a video format along with recording user keystrokes and saving other information such as active application name, active window title, and so on. The monitoring data can then be collected from user computers by the DeviceLock Enterprise Server where authorized persons can view and analyze those recordings of user activity.

The ability to store a recording of user actions gives DeviceLock a number of advantages when detecting data leak threats. The DeviceLock Service records exactly what the user sees on the computer screen regardless of applications and protocols used or level of privilege the user has. Keyboard input and other data recorded by DeviceLock Service along with video can be leveraged to track certain user actions.

The DeviceLock Service features various triggering criteria to start recording when certain events or conditions occur. Depending on the criteria selected in the policy, recording can start, for example, when a specific device is connected, a certain application is opened, or an unauthorized attempt is made to write a file or send a message. Triggering criteria enable the DeviceLock Service to perform selective recordings of potentially suspicious user actions. For a complete list of criteria, see Setting up triggering criteria later in this chapter.

DeviceLock Service initially stores user activity monitoring data on the local computer, allowing the administrator to explore local records of user actions in the DeviceLock Management Console connected to the DeviceLock Service. In this way, one can only view the records made by the DeviceLock Service on the local computer.

To enable a centralized viewing and analysis of the recordings made on different computers, it is necessary to transfer user activity monitoring data to DeviceLock Enterprise Server. The servers to collect and hold that data are specified by the respective DeviceLock Service setting. If necessary, the data from individual servers can be combined for viewing and analysis on a central collection server by using the log consolidation feature.