Our team has been working on some rules to mitigate threats from removable media. We have had good success with file monitoring, read/writes, and actively responding to executable attempts from flash drives and other removable media. Our point of contention arises when we work to meet another requirement of providing our federal users encrypted removable media. Once we initiate the Group Policy to bitlocker the USB drives, all visibility to read/write cycles and executable attempts to the device becomes invisible to LEM. In other words, once the drive is encrypted we can't see the traffic to and from the drive any longer.
Has anyone else attempted to implement this scenario? Did you have success?