Our website uses cookies to enhance your browsing experience.


How to Manage USB Devices


This document and video will demonstrate how to use Falcon Device Control to monitor and manage USB devices to minimize the attack surface and risk of incidents.


Device Control Policy Options

Falcon Device Control enables customers to use their existing management platform and lightweight agent to establish and enforce policies for USB devices. The policies and options can be found under “Configuration > USB Device Policies”.

device control policies


From the policy list, you can choose to edit an existing policy or create a new policy. Within each policy, you are presented with a list of different USB device classes. This gives you the granularity to define different policies for different types of devices. Device classes include imaging, printers and mass storage.

device control settings


For mass storage, you will see four options available. “Read, write and execute” gives users full access. For mass storage, “Read and write only” is often used to prevent the auto-execution of unwanted programs.

device control add exception


Within the policy for each class, you also have the option to define exceptions. These exceptions can be done for specific devices or in larger groups using vendor and product information. This allows you to provide necessary functionality while maintaining control over user access. It is also very helpful when enforcing specific corporate standards.

device control exceptions


Device Control Visibility

With Falcon Device Control, you gain visibility into the USB devices and use profiles in your environment. You can access to dashboard under “Investigate > USB Device Control”.

device control investigate


The dashboard gives you a breakdown by class, manufacturer and device.  Each of the chart areas is clickable and provides quick access to filtered information and the supporting usage history.

device control dashboard


In this example, drilling down on the “Mass Storage” device class illustrates that this specific environment has seen three different manufacturers in the last 30 days with a detailed usage history shown below. Valuable information, like the combined ID, can be used to further tune policies and define individual exceptions. The combined id is the serial number+manufacture ID+Product ID.

device control mass storage

Device Control Investigation

If there is a need to take immediate action on a USB device, Falcon Device Control provides both the visibility and the policy you need to be effective. Under “Device Usage by Host” you can search on a specific hostname to see what USB devices they have employed over a given time range. You can review the current policy for each device and how often it is used. That information can be used to as needed to tune the policies for each class or allow exceptions for specific devices.

device control by host


There is also an overview of “Files Written to USB”. This can be especially helpful in cases where unapproved data exfiltration is suspected. For the enterprise, this information can be filtered by computer name, user name, file, file type or time range to help you investigate specific issues.

device control files


Falcon Device Control provides industry leading visibility into your organization’s usage of USB devices. It helps you understand, control, report and investigate how those devices are being used to help you manage risk and minimize this attack vector.

More resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial