Device Control
Device control is a way to control and restrict access of USB devices. Although USB devices are commonplace, and useful tools within an enterprise, such devices might also be used for harmful actions, such as leaking organizational data and spreading malware.
Note
When Device control blocks a USB device or identifies a device as Read only, the Cybereason platform displays a system-tray notification. For users to see these notifications, you must enable notifications in the sensor policy, in the Endpoint UI Settings screen in the Remediation actions action. For more information on notification settings, see Configure end user desktop settings.
In this topic:
Supported device types
The Device control feature protects the following device types:
Device type |
Device type name |
Example |
Description |
Supported OS/version |
Supported modes |
---|---|---|---|---|---|
USB storage devices |
USB storage device |
A USB flash drive |
USB storage devices identified as a USB mass storage device. |
|
|
MTP devices |
MTP device |
A Samsung or Android phone |
Mobile (Android and iOS) media devices that are connected to the endpoint via a USB connection. |
|
|
USB devices |
All |
A USB keyboard |
Other USB devices, such as a USB keyboard, and to grant or deny access to these devices. |
|
|
View Device control events and monitor USB usage
Note
Starting from version 23.2.10x, this feature is available by default for Windows machines only.
In the Device control screen, you can view Device control events and easily monitor the usage of USB devices across your environment. This can help you:
Ensure that defined policies are working effectively to reduce data leak risks and USB drive-by malware.
Gain insight on events and improve your organization’s security posture.
For example, in your sensor policy, you instruct the Cybereason platform to block USB devices. Then, as users insert USB devices into endpoint machines that use that sensor policy, the Cybereason platform blocks these USB device and reports these events on the Device control screen. You can check the Device Control screen regularly to ensure that the policy is enforced on the relevant endpoint machines.
Click Export to export the list of device control events to a CSV file.
Note
The data in the Device Control screen is retained for 30 days. The screen includes reporting of Block and Read only events only.
View the Device control status in the Sensors screen
You can view the Device control status for single endpoints or for groups of endpoints in the System > Sensors screen. To display the Device control status, select Columns to the right of the sensors table, and select the Device control column.
The Device control column is visible in the list of sensors:
View the Device control status:
Status |
Description |
---|---|
Enabled |
Device control is enabled. The Device control toggle in the System > Policies management > Endpoint Controls screen is turned on with any mode selected. |
Disabled |
The Device control toggle in the System > Policies management > Endpoint controls screen is turned off. |
Advanced |
Device control is enabled and exclusions are defined, according to the following configuration:
|
The information in the Device control column is also used as metadata if you export the table to a CSV file.