Microsoft Defender for Endpoint can now isolate unmanaged devices that are suspected of being compromised and block it from any incoming or outgoing communication with devices enrolled in Defender for Endpoint.
According to Microsoft, this is designed to help prevent human-operated ransomware from moving laterally and spreading from an unmanaged device throughout an organization’s network. This also helps IT teams solve the challenge of responding to threats that originate from unmanage devices.
More than 70% of human-operated ransomware cases are initiated by an unmanaged, typically internet-facing device, Microsoft says. Once compromised outside of IT’s visibility, the device can spread malware throughout the network.
The company says the new capability became available last week and allows analysts to “contain” devices that aren’t enrolled in Defender for Endpoint by blocking managed devices from communicating with the suspected infected device.
Currently, the Contain action only works on devices running Windows 10 and above, meaning that only those devices enrolled in Defender for Endpoint will block “contained” devices.
The tool even continues to work even if the contained devices changed its IP address, as all devices enrolled in Defender for Endpoint will recognize the change and start blocking the new IP address. However, the original IP address will no longer be blocked.
According to Microsoft, the Role Based Access Control (RBAC) permissions required to contain devices are similar to device isolation. Any admin that can isolate a device can perform a “Contain” action.
In cases where the contained device’s IP is used by another device on the network, admins will see a warning while containing with a link to advanced hunting to provide visibility into other devices using the same IP to provide more insight into the decision.
Admins will also see a warning when the contained devices is a network device since this could cause network connectivity issues.
To contain a device, go to the Device inventory page in Defender and select the device to contain.
For more information, read Microsoft’s documentation on this new capability.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply