In most modern organizations, almost all important information is stored in electronic form, across a variety of computer networks, servers, and other information systems. Trusted users inside an organization often have access to confidential and protected information. Consequently, organizations often employ a variety of security mechanisms to prevent unauthorized access to and/or use of such information.
Merely by way of example, many corporations have information security policies, which, in many cases, prohibit the use of floppy disk drives in corporate computer, require employees to check in and/or out any computing assets and/or media when entering/leaving the premises of the corporation, protect assets with firewalls, etc. In addition, there are a variety of ways, using computer hardware and/or software, for organizations to protect information. At the most basic level, physical access to information assets, such as servers, may be restricted. Similarly, logical access may be restricted, for instance by using software access controls (e.g., at the network level, operating system level and/or application level).
Of course, such security comes with a price: inconvenience to users. Moreover, in some cases, it is simply not possible to restrict access by all users, because inevitably, some users will need to have access to protected information, and it is difficult to both allow a user to access information and prevent that user from using the information for improper purposes.
Consider, for example, a corporation's financial information. If the corporation is publicly traded, such information must be protected until it is formally disclosed to the public. Otherwise, the information provides arbitrage opportunities, since it allows a holder of the information to anticipate the market effects of a public disclosure of the information and act accordingly. A certain set of users, however, must have access to the information. For example, the corporations accounting and finance personnel may need the information to perform their duties. Hence, it is infeasible to prevent such personnel from accessing the information, but that access presents a danger of improper use.
To combat such dangers, organizations generally are forced to rely on the trustworthiness of the personnel. Unfortunately, by the time an organization learns that an individual is untrustworthy, it is usually too late—the individual already has used the information for an improper purpose. There are some tools available that attempt to allow organizations to anticipate such untrustworthy actions, such as access monitors, keystroke loggers, and the like, but in many cases, a skilled user can detect and circumvent such controls.
Merely by way of example, if an organization prohibits the use of physical media, a user can make use of the Internet (including, for example, Internet-based email systems) to transfer information outside the organization. Anticipating this, many organizations use firewalls and proxies to detect and/or prevent the transfer of such information over the Internet. Skilled users, however, often can defeat such systems through the use of encryption, secure Internet protocols and the like to obfuscate their behavior. In other cases, a user may undertake questionable behavior when not currently connected to a network, such as copying a prohibited file onto a USB removable storage device.
There have been proposed a variety of monitoring systems for monitoring the activities of users on a monitored computer. In many cases, however, these monitoring systems are easily detected and/or circumvented. In other cases, monitoring systems require connectivity with a monitoring server in order to relay monitoring information to a monitoring party. Further, when implementing a monitoring system, there is a danger that events that may be related to an event of interest (that is, an event that should be captured for analysis and/or review) will be ignored merely because those related events occur before event of interest and thus appear innocuous and/or unworthy of collection. An alternative is to collect all events, but this alternative often imposes unreasonable overhead on the monitored system (e.g., in transmitting the events to a monitoring server for analysis) and thus often lead to detection by, and/or annoyance of, a user of the monitored computer.