The Union Health USB Storage Device Standard defines the configuration of and security controls in place for Union Health USB Storage Devices, such as “thumb drives”, external hard-drives, and any related variety of USB attached data storage. Due to risks of lost or stolen devices, unexpected data-loss, and the exposure to malware from external sources, these considerations must be defined and exemptions from this standard must be documented in the Union Health TeamDynamix (TDX) platform.
CrowdStrike’s malware detection behaves somewhat differently than traditional signature-based malware scanning. In addition to CrowdStrike’s on-demand scanning, Union Health applies an as-needed standard to allowing USB devices for external storage. All workstations, by default, have USB storage devices blocked. Any exemption from this baseline CrowdStrike security policy must be requested in TDX, where configuration is prioritized effectively for completion and tracked in accordance with risk management best practices in a security risk register.
CrowdStrike On-Demand scanning security policies are described as follows:
The Falcon sensor blocks malicious operations performed by scripts and shells, such as:
- Contents of executed script files
- Typed strings on a PowerShell prompt
- Dynamically executed strings through the Invoke-Expression cmdlet
- Commands supplied as a command-line parameter, such as -EncodedCommand
Scans are initiated in the following ways:
|
Initiated from
|
Description
|
| |
|
|
Falcon console
|
Based on a configuration or an action in the Falcon console, a scan is initiated on the host, either immediately or according to a specified schedule.
|
|
CrowdStrike API
|
Based on a configuration in the CrowdStrike API, a scan is initiated on the host, either immediately or according to a specified schedule.
|
|
USB insertion
|
When a USB storage device is inserted, a scan of the USB device is initiated immediately on the host.
|
|
End user
|
On a local host, through the right-click menu, an end user initiates a scan that runs immediately on that host.
|
|
CLI
|
A scan is initiated on a local host through the CLI.
|
The Execution Blocking prevention category contains Custom Blocking, Suspicious Processes, Suspicious PowerShell Scripts and Commands, Suspicious Registry Operations, Drift Prevention, and Intelligence-Sourced Threats, which complement Machine Learning preventions.
This setting blocks processes which exhibit suspicious behavior as defined by IOAs. The goal is to identify the intention of the process, and block if deemed malicious. For example, svchost.exe being launched by an unexpected process, instead of services.exe, which is likely an indicator of malware execution.
Ultimately, CrowdStrike assesses risk based on a number of correlated factors, including (but not limited to) file/process type, process user, atypical sources/destinations, and behavior of the process.
Conclusion
Union Health's USB Storage Device Standard outlines the configuration and security controls for USB-attached storage (e.g., thumb drives, external hard drives) to mitigate risks like data loss, theft, and malware. By default, USB storage is blocked on all workstations.
Any exceptions to this standard must be formally requested and documented in the TeamDynamix (TDX) system, aligning with Union Health’s risk management practices.
CrowdStrike is the primary malware defense tool, offering advanced behavior-based detection rather than relying solely on signature-based scans. USB scans are automatically triggered upon device insertion or can be manually initiated via several methods (e.g., Falcon console, CLI, right-click menu). CrowdStrike also uses machine learning and execution blocking to identify and stop suspicious activities, ensuring comprehensive endpoint protection.