My CISO wants a way to report on any files written to a non-encrypted USB device. To me, this translates in to a Data Protection rule (monitoring file copies) and a Device Control Rule (only to non-encrypted USB devices -- like McAfee or hardware). I tried doing both, but it only triggered on the Device Control.
Anyone have any ideas? I was thinking the only way to do this would be to create two policies and if the Device Control triggered, apply the Data Protection policy --- but that would be messy and not very accurate.
Thank you for posting here! Unfortunately, the Removable Storage Protection rule doesn't have the capability to determine whether the device itself is encrypted or not. That particular rule is more so focused on the content/file level. For a sanity check, I did test out your configuration in my lab and the Removable Storage Protection Rule triggered an incident when a file was copied to my flash drive regardless of whether the drive was encrypted by FRP or not.
With that said, if the concern is that files are being copied to unencrypted flash drives, the Removable Storage Protection Rule has a reaction option that can encrypt files with a specified FRP key. Additionally, FRP can be configured in such a way that if the end user chooses not to encrypt a USB drive, FRP will make it read only. This can be done by using the Enforce Encryption (with Offsite Access) option in the Removable Media policy.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.