Brent Agar, VP Strategic Partnerships, SentryBay
I hear it all the time.
“We’ve implemented Zero Trust.”
“Our endpoints are covered.”
“Our data is encrypted.”
And yet, in many of these same environments, one of the simplest attack vectors remains wide open.
A USB stick.
It may feel like an outdated threat, but USB malware is not going away. In fact, it is becoming more effective precisely because modern security strategies are not designed to deal with it. That is why USB malware protection needs far more attention than it is currently getting.
USB malware exposes a fundamental flaw in modern security
Most cybersecurity strategies today are built around controlling access. Identity is verified. Devices are checked. Networks are segmented. This is the foundation of Zero Trust. But USB malware does not follow those rules.
- It does not require authentication.
- It does not rely on network connectivity.
- It does not trigger traditional access controls.
It simply requires a device to be plugged in.
That device could be handed out at an event, left in a parking lot, or introduced through a trusted partner. Once connected, it can immediately execute commands or behave like a legitimate input device. From a security perspective, this bypasses many of the controls organizations rely on. And that is where the problem begins.
The real risk is not entry. It is what happens next
Too many security strategies are focused on stopping threats at the perimeter. But USB malware highlights a different reality. You cannot stop every entry point. The question you should be asking is this:
- What happens when something gets through?
Because once a device is compromised, the attacker’s objective is rarely to take control of the system immediately. It is far more efficient to capture data directly from the user.
- Credentials as they are typed.
- Sensitive information as it is viewed.
- Conversations as they are happening.
This is data in use. And it is where USB malware is most effective.
Why USB malware protection must focus on data in use
We have made strong progress in protecting data at rest and in transit. Encryption and secure communication protocols are well established. But data in use remains exposed.
When a user is interacting with a system, that data exists in a form that can be captured. A malicious USB device can intercept keystrokes or trigger actions that expose information on screen. Increasingly, it can also enable access to microphones and cameras. This is where the risk expands beyond traditional data theft.
- Captured audio can be used for voice cloning.
- Captured video can be used to generate deepfakes.
What starts as a simple USB attack can quickly evolve into identity-based fraud. And this is exactly why USB malware protection must evolve.
Detection is not enough
Most endpoint security tools are designed to detect threats. They identify patterns, analyze behavior, and respond when something looks suspicious. But USB malware often operates too quickly for detection to be effective.
A device can be plugged in, execute commands, and capture data in a matter of seconds. By the time an alert is generated, the data may already be compromised. This is why relying solely on detection is no longer sufficient.
USB malware protection must move upstream. It must prevent data capture, not just detect malicious activity.
Why kernel-level USB malware protection changes the model
If you accept that malware can enter from anywhere, including a USB device, then the only logical strategy is to protect the data itself. This is where kernel-level USB malware protection becomes critical.
By operating at the core of the operating system, kernel-level controls can intercept attempts to capture data before they succeed. This approach does not depend on identifying the threat. It focuses on controlling access to the data.
It ensures that even if a device is compromised, the attacker cannot extract meaningful information. That is a fundamentally different model. It shifts the focus from prevention at the perimeter to protection at the point of use.
How Armored Client delivers effective USB malware protection
This is exactly the approach we have taken with SentryBay’s Armored Client. The solution is designed to deliver USB malware protection at the point where it matters most, the endpoint interface.
It protects data in use by preventing common capture techniques, including keystroke interception and screen recording. It also enforces control over microphones and cameras, reducing the risk of unauthorized recording and the creation of deepfake content.
Because it operates at the kernel level, it does not rely on detecting or classifying threats in advance. It simply ensures that sensitive data cannot be captured, even in a compromised environment. For organizations that are serious about Zero Trust, this is a natural extension. It closes a gap that many have not yet addressed.
The uncomfortable reality
Here is the uncomfortable truth. If a USB device can be plugged into your environment and capture sensitive data, your security model is incomplete.
You may have strong identity controls. You may have network segmentation. You may have detection and response. But without USB malware protection at the kernel level, data in use remains exposed. And that is exactly where attackers are focusing.
Closing the gap
USB malware is not a new threat. But the way it is being used today exposes a weakness in how many organizations think about security. If we continue to focus only on how attacks enter, we will continue to miss what matters most.
- What attackers can access once they are inside.
That is why USB malware protection must be part of every modern security strategy. And why protecting data in use at the kernel level is no longer optional.
About the Author
Brent Agar is Vice President of Strategic Partnerships at SentryBay, where he works closely with global technology partners, federal agencies, and healthcare organizations to strengthen endpoint security strategies. He focuses on advancing prevention led security at the user interface layer, helping organizations address emerging risks such as AI powered malware, voice cloning, and deepfake videos. Brent brings extensive experience in channel leadership and cybersecurity partnerships, aligning innovation with real world enterprise security needs.
