Microsoft previews automatic device isolation in Defender for Endpoint

Microsoft previews automatic device isolation in Defender for Endpoint

Briefly

"Microsoft is previewing a new automatic device isolation capability in Defender for Endpoint's auto attack disruption tool to help security pros contain cyber attacks in progress on their IT networks. The company announced the capability earlier this month in a column about new features in Defender. There's no word on when automatic device isolation will be in full production."

"However, a new SANS Institute research paper warns that, in certain conditions, an attacker could leverage the new function to disable all user accounts. The lesson, said Johannes Ullrich, the institute's dean of research, is that autonomous AI action tools have to be tuned and tested like any other automation capability."

""Automatic isolation and attack disruption are not new concepts," Ullrich said in an email, "but ideas like these have been used in the past in open source and commercial tools. This feature is most important in organizations with under-resourced IT security teams, as it automates attack response. However, these features must be carefully tuned. If they are left unconfigured, attackers can use them to delay response by disrupting accounts used by administrators.""

"By the time an analyst even sees a red flag, he said, the attacker has already established persistence or started encrypting files. Microsoft's automatic device isolation acts as "a rapid, logical air gap. It instantly severs the device's network connections, cutting off the attacker's command and control (C2) and halting data exfiltration dead in it""