Microsoft is testing a new Defender for Endpoint capability that will automatically isolate compromised endpoints to thwart attackers’ attempts to move laterally across the network.
This is now available in preview mode and works as part of automatic attack disruption, a feature designed to contain attacks, limit their impact, and provide security teams with more remediation time.
Compromised endpoints that are automatically isolated are disconnected from the network to reduce the risk of further impact, but they retain connectivity to the Microsoft Defender for Endpoint service, which will continue to monitor the device.
“When a device in your organization is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption,” Microsoft said.
“Automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.”
Automatic device isolation works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint.
As Microsoft explained, they can also be released from containment at any time by security operators after completing the incident investigation and mitigating the risks.
To release a device from automatic isolation, select the device from the “Device inventory” or open the device page and select “Release from isolation” from the action menu.
Nearly four years ago, in June 2022, Microsoft also announced that admins could manually contain compromised, unmanaged Windows devices by cutting off incoming and outgoing communication with onboarded Defender for Endpoint endpoints.
Microsoft also began testing device isolation support for Defender for Endpoint on onboarded Linux devices in January 2023, with the capability reaching general availability in October 2023.
The same month, it revealed that Defender for Endpoint could also isolate compromised user accounts as part of automatic attack disruption to block lateral movement in hands-on-keyboard ransomware attacks.
More recently, Microsoft began testing another new feature for the Defender for Endpoint enterprise endpoint security platform that automatically blocks traffic to and from undiscovered Windows endpoints, preventing attackers from breaching other non-compromised devices on the network.
Earlier this month, it revealed another Defender for Endpoint preview feature that will allow admins to schedule antivirus scans on onboarded Linux systems using the Microsoft Defender portal, mdatp managed JSON configuration, or the mdatp command-line tool.
“Scheduled scans support daily quick scans, interval-based quick scans, and weekly full scans, with options for low-priority execution, idle-time scheduling, and randomized start times,” it said.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
