Endpoint/Device Security

Microsoft Defender for Endpoint to automatically isolate compromised devices

Coverage from Bleeping Computer indicates that Microsoft is currently testing a new feature for Microsoft Defender for Endpoint that will automatically isolate compromised devices to prevent attackers from moving laterally across a network. This capability is now available in preview mode as part of the automatic attack disruption feature, designed to contain attacks and provide security teams with more time to respond.

The new feature automatically disconnects compromised endpoints from the network, limiting the risk of further impact while maintaining connectivity to the Defender for Endpoint service for continued monitoring. Microsoft states that this automatic isolation helps reduce the risk of further impact, limits attacker lateral movement, and prevents data exfiltration and ransomware propagation. This functionality is currently limited to onboarded end-user workstations managed by Microsoft Defender for Endpoint. Security operators can release devices from isolation after completing investigations and mitigating risks.

This builds upon previous efforts, including manual containment of unmanaged Windows devices announced in June 2022, and isolation support for Linux endpoints introduced in preview in January 2023 and generally available by October 2023. In October 2023, Microsoft also enabled isolation of compromised user accounts to block lateral movement in hands-on-keyboard ransomware attacks. The company has also been testing features to block traffic to and from undiscovered Windows endpoints and to schedule antivirus scans on Linux systems.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds