Microsoft Defender's New Automatic Endpoint Isolation Feature
Microsoft is testing a new capability for Microsoft Defender for Endpoint that automatically isolates compromised endpoints to thwart attackers' attempts to move laterally across the network. This feature is now available in preview mode and works as part of automatic attack disruption, a feature designed to contain attacks, limit their impact, and provide security teams with more remediation time.
Compromised endpoints that are automatically isolated are disconnected from the network to reduce the risk of further impact, but they retain connectivity to the Microsoft Defender for Endpoint service, which will continue to monitor the device. According to Microsoft, automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.
How Automatic Device Isolation Works
Automatic device isolation works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint. As Microsoft explained, they can also be released from containment at any time by security operators after completing the incident investigation and mitigating the risks. To release a device from automatic isolation, select the device from the Device inventory or open the device page and select Release from isolation from the action menu.
Nearly four years ago, in June 2022, Microsoft also announced that admins could manually contain compromised, unmanaged Windows devices by cutting off incoming and outgoing communication with onboarded Defender for Endpoint endpoints. Microsoft also began testing device isolation support for Defender for Endpoint on onboarded Linux devices in January 2023, with the capability reaching general availability in October 2023.
Recent Updates to Microsoft Defender for Endpoint
The same month, it revealed that Defender for Endpoint could also isolate compromised user accounts as part of automatic attack disruption to block lateral movement in hands-on-keyboard ransomware attacks. More recently, Microsoft began testing another new feature for the Defender for Endpoint enterprise endpoint security platform that automatically blocks traffic to and from undiscovered Windows endpoints, preventing attackers from breaching other non-compromised devices on the network.
Earlier this month, it revealed another Defender for Endpoint preview feature that will allow admins to schedule antivirus scans on onboarded Linux systems using the Microsoft Defender portal, mdatp managed JSON configuration, or the mdatp command-line tool. Scheduled scans support daily quick scans, interval-based quick scans, and weekly full scans, with options for low-priority execution, idle-time scheduling, and randomized start times.
Conclusion
Microsoft Defender's new automatic endpoint isolation feature is a significant enhancement to the platform's capabilities, providing an additional layer of protection against lateral movement and reducing the risk of further impact. As the threat landscape continues to evolve, it is essential for organizations to stay ahead of the curve and leverage the latest security features and technologies to protect their networks and endpoints.
- Microsoft Defender for Endpoint is a comprehensive security platform that provides advanced threat protection, vulnerability management, and incident response capabilities.
- The new automatic endpoint isolation feature is available in preview mode and works as part of automatic attack disruption.
- Compromised endpoints are disconnected from the network but retain connectivity to the Microsoft Defender for Endpoint service.
Source: BleepingComputer