How to use Falcon Insight to get Additional USB Device Visibility
Introduction
This document will review how Falcon Insight together with Falcon USB Device Control can provide additional visibility into usage of USB devices in your environments.
Video
This video demonstrates USB device visibility available through Falcon Insight dashboards as well as Falcon Device Control policy configuration. Falcon Prevent customers can access similar visibility options via the Activity app.
Device Control Visibility
With Falcon Insight and Device Control, you gain visibility into the USB devices and use profiles in your environment. You can access to dashboard under “Investigate > USB Device Control”.
The dashboard gives you a breakdown by class, manufacturer and device. Each of the chart areas is clickable and provides quick access to filtered information and the supporting usage history.
In this example, drilling down on the “Mass Storage” device class illustrates that this specific environment has seen three different manufacturers in the last 30 days with a detailed usage history shown below. Valuable information, like the combined ID, can be used to further tune policies and define individual exceptions. The combined id is the serial number+manufacture ID+Product ID.
Device Control Investigation
If there is a need to take immediate action on a USB device, Falcon Device Control and Falcon Insight provide both the policy and the visibility you need to be effective. Under “Device Usage by Host” you can search on a specific hostname to see what USB devices they have employed over a given time range. You can review the current policy for each device and how often it is used. That information can be used to as needed to tune the policies for each class or allow exceptions for specific devices.
There is also an overview of “Files Written to USB”. This can be especially helpful in cases where unapproved data exfiltration is suspected. For the enterprise, this information can be filtered by computer name, user name, file, file type or time range to help you investigate specific issues.
Conclusion
Falcon Device Control with Insight provides industry leading visibility into your organization’s usage of USB devices. It helps you understand, control, report and investigate how those devices are being used to help you manage risk and minimize this attack vector.
