CrowdStrike Falcon Device Control FAQ

CrowdStrike Falcon Device Control enables safe and accountable usage of USB devices across your organization. Using one lightweight agent, it uniquely combines visibility and granular control and allows IT and security administrators to ensure that approved USB devices are used appropriately in their environments.. When used with Falcon Insight™, visibility is extended, adding searchable history and logs of USB device usage, including files written to devices.

Falcon Device Control ensures the safe utilization of USB devices by providing both visibility and granular control over those devices. Its seamless integration with the Falcon agent and platform provides device control functionality paired with full endpoint protection and endpoint detection and response (EDR) capabilities. This gives security and IT operations teams visibility into how devices are being used and the ability to precisely control and manage that usage.

• Effortless Visibility: Falcon Device Control provides automatic visibility across USB device usage: It automatically discovers and captures detailed device information; and delivers real-time usage data that is easily accessed via pre-built dashboards and powerful search.
• Precise and Granular Control: On mass storage devices, you can, for example, allow read and write access without allowing execution, or you can apply read-only policies, or you can allow full access.
• Extend Falcon Insight visibility: Gain access to searchable history and logs of USB device utilization. Device information includes usage logs, enforcement events, and file transfer activities.
• Get Your Information In One Place:See how USB devices are being used in your environment and gain additional context about host activity — all via the same console — without having to import additional logs or run separate queries to get visibility on USB device utilization.
• Implementation and Management Without Hassle:  Falcon Device Control does not require installing or managing additional endpoint software. Falcon users can use the same console to manage policies and access reports. Device activity events are integrated with Falcon endpoint protection, providing contextual understanding of endpoint activity.

As part of the Falcon platform and enabled via the Falcon agent, no additional agent is required. Activating Falcon Device Control requires a one-time reboot.

Falcon Device Control enables IT and security administrators to define and manage their device control policies via the Falcon management console.

You can set four different kinds of policies:

• Full Block: Device will be blocked.
• Read Only (Mass Storage Only): Users get read-only access but cannot write to the device.
• No Execute (Mass Storage Only): Users can’t execute programs from USB storage but can still copy the files from removable storage to a local drive.
• Full Access: Users have full access to the USB device. For mass storage, users have read/write/execute access to the USB drive.

You can create rules by class and exceptions by vendor ID, product ID or serial number.

Existing customers can contact sales to add Falcon Device Control to their subscriptions. Falcon Device Control can be used with both Falcon Prevent and Falcon Insight.

If you are not currently a CrowdStrike customer and are interested in this solution, please contact CrowdStrike Sales: [email protected].

Falcon is licensed on a subscription basis per endpoint. For more information please contact us, request a quote, or buy now from the AWS Marketplace.