CrowdStrike Falcon Device Control enables safe and accountable usage of USB devices across your organization. Using one lightweight agent, it allows IT and security administrators to ensure that approved USB devices are used appropriately in their environments. It also provides complete real-time and historical visibility into devices, with detailed logging and reporting on usage and file write events delivered via the Falcon management console.
CrowdStrike Falcon Device Control FAQ
Complete Visibility and Granular Control For USB Devices
Falcon Device Control ensures the safe utilization of USB devices by providing both extensive visibility and granular control over those devices. Its seamless integration with the Falcon agent and platform provides device control functionality paired with full endpoint detection and response (EDR) capabilities. This gives security and IT operations teams full visibility into how devices are being used and the ability to precisely control and manage that usage.
- Unprecedented Visibility: Falcon Device Control provides automatic and complete visibility across USB device usage: It automatically discovers and captures detailed device information; monitors files written to USB storage; and delivers real-time and historical usage data that is easily accessed via pre-built dashboards and powerful search.
- Precise and Granular Control: On mass storage devices, you can, for example, allow read and write access without allowing execution, or you can apply read-only policies, or you can allow full access.
- Gain Both Real-time and Historical Visibility: Device usage history is accessible in real time and historically, allowing you to search device usage activity across time. Device information includes usage logs, enforcement events, and file transfer activities.
- Get The Whole Picture in One Place: See how USB devices are being used in your environment and gain additional context about host activity — all via the same console — without having to import additional logs or run separate queries to get the complete picture.
- Implementation and Management Without Hassle: Falcon Device Control does not require installing or managing additional endpoint software. Falcon users can use the same console to manage policies and access reports. Device activity events are integrated with Falcon Insight™ endpoint detection and response (EDR), providing contextual understanding of endpoint activity.
As part of the Falcon platform and enabled via the Falcon agent, no additional agent is required. Activating Falcon Device Control requires a one-time reboot.
Falcon Device Control enables IT and security administrators to define and manage their device control policies via the Falcon management console.
You can set four different kinds of policies:
- Full Block: Device will be blocked.
- Read Only (Mass Storage Only): Users get read-only access but cannot write to the device.
- No Execute (Mass Storage Only): Users can’t execute programs from USB storage but can still copy the files from removable storage to a local drive.
- Full Access: Users have full access to the USB device. For mass storage, users have read/write/execute access to the USB drive.
You can create rules by class and exceptions by vendor ID, product ID or serial number.
Existing customers can contact sales to add Falcon Device Control to their subscriptions. Falcon Device Control requires Falcon Insight.
If you are not currently a CrowdStrike customer and are interested in this solution, please contact CrowdStrike Sales: email@example.com.