Back to Tech Center

How to use Falcon Insight to get Additional USB Device Visibility

September 16, 2019

Tech Center
CrowdStrike Tech Center

Introduction

This document will review how Falcon Insight together with Falcon USB Device Control can provide additional visibility into usage of USB devices in your environments.

Video

This video demonstrates USB device visibility available through Falcon Insight dashboards as well as Falcon Device Control policy configuration. Falcon Prevent customers can access similar visibility options via the Activity app.

Device Control Visibility

With Falcon Insight and Device Control, you gain visibility into the USB devices and use profiles in your environment. You can access to dashboard under “Investigate > USB Device Control”.

device control visibility

 

The dashboard gives you a breakdown by class, manufacturer and device.  Each of the chart areas is clickable and provides quick access to filtered information and the supporting usage history.

device control visibility dashboard

 

In this example, drilling down on the “Mass Storage” device class illustrates that this specific environment has seen three different manufacturers in the last 30 days with a detailed usage history shown below. Valuable information, like the combined ID, can be used to further tune policies and define individual exceptions. The combined id is the serial number+manufacture ID+Product ID.

device control visibility mass storage

Device Control Investigation

If there is a need to take immediate action on a USB device, Falcon Device Control and Falcon Insight provide both the policy and the visibility you need to be effective. Under “Device Usage by Host” you can search on a specific hostname to see what USB devices they have employed over a given time range. You can review the current policy for each device and how often it is used. That information can be used to as needed to tune the policies for each class or allow exceptions for specific devices.

device control visibility host

 

There is also an overview of “Files Written to USB”. This can be especially helpful in cases where unapproved data exfiltration is suspected. For the enterprise, this information can be filtered by computer name, user name, file, file type or time range to help you investigate specific issues.

device control visibility files

Conclusion

Falcon Device Control with Insight provides industry leading visibility into your organization’s usage of USB devices. It helps you understand, control, report and investigate how those devices are being used to help you manage risk and minimize this attack vector.

More resources

Related Content