Coverage from Bleeping Computer indicates that Microsoft is currently testing a new feature for Microsoft Defender for Endpoint that will automatically isolate compromised devices to prevent attackers from moving laterally across a network. This capability is now available in preview mode as part of the automatic attack disruption feature, designed to contain attacks and provide security teams with more time to respond.The new feature automatically disconnects compromised endpoints from the network, limiting the risk of further impact while maintaining connectivity to the Defender for Endpoint service for continued monitoring. Microsoft states that this automatic isolation helps reduce the risk of further impact, limits attacker lateral movement, and prevents data exfiltration and ransomware propagation. This functionality is currently limited to onboarded end-user workstations managed by Microsoft Defender for Endpoint. Security operators can release devices from isolation after completing investigations and mitigating risks.This builds upon previous efforts, including manual containment of unmanaged Windows devices announced in June 2022, and isolation support for Linux endpoints introduced in preview in January 2023 and generally available by October 2023. In October 2023, Microsoft also enabled isolation of compromised user accounts to block lateral movement in hands-on-keyboard ransomware attacks. The company has also been testing features to block traffic to and from undiscovered Windows endpoints and to schedule antivirus scans on Linux systems.Source: Bleeping Computer
Endpoint/Device Security
Microsoft Defender for Endpoint to automatically isolate compromised devices

Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



