Microsoft is advancing its automated cyber defence strategy with the release of Microsoft Defender for Endpoints, which is capable of isolating compromised devices as soon as malicious activity is detected.
The feature was introduced as a preview and has been designed to curb the most damaging stage of an intrusion by preventing endpoints from connecting to the broader corporate network while maintaining a secure connection to Microsoft’s Defender service. By integrating this capability into the automatic attack disruption framework, the company hopes to accelerate containment, reduce the attacker’s operating window, and provide security teams with valuable time for investigation and remediation during the critical early moments of a breach without relying solely on manual interventions.
In spite of Microsoft’s assertion that automated response systems can be deployed quickly in the event of active intrusions, security researchers caution that they must be implemented with carefully defined safeguards. Microsoft introduced the feature earlier this month as part of ongoing enhancements to Microsoft Defender, though a timeline for general availability has not yet been provided.
In addition, a recent SANS Institute report outlined a potential risk scenario in which threat actors could manipulate automated disruption workflows to interfere with administrator accounts, potentially resulting in difficulties during incident response.
According to Johannes Ullrich, Dean of Research at SANS Institute, automated isolation and attack disruption technologies have existed in both commercial and open-source security platforms for years, yet their effectiveness relies heavily on how they are configured and tuned.
According to Johannes Ullrich, Dean of Research at SANS Institute, automated isolation and attack disruption technologies have existed in both commercial and open-source security platforms for years, yet their effectiveness relies heavily on how they are configured and tuned.
As Ullrich points out, organizations with limited security resources will significantly benefit from automated containment, however poorly configured policies may allow attackers to delay remediation by targeting privileged accounts, leading to delayed remediation. Nonetheless, industry experts agree that automation has become increasingly important as ransomware and malware operations continue to execute at machine speed.
According to Robert Enderle, when a human analyst detects malicious activity, adversaries might have already established persistence, expanded their foothold, or begun encryption of data by the time he identifies it. Through the introduction of the new capability, Microsoft Defender XDR addresses this gap by automatically isolating workstations that are subject to ransomware or advanced intrusion activity upon detection of high-confidence indicators.
While the network access is severed to prevent command-and-control communications, lateral movement, and data exfiltration, the endpoint is still connected to Microsoft Defender services, which enables continuous telemetry collection, remote investigation, and forensic analysis.
The functionality is currently restricted to managed devices enrolled in Microsoft Defender for Endpoint and does not yet extend to servers or unmanaged assets.
In addition to integrating signals from endpoints, identities, email environments, and SaaS applications, Defender XDR creates a comprehensive incident view by correlating signals across these technologies to trigger containment actions when malicious activity reaches a certain level of confidence.
With a focus on isolated devices rather than wider network segments, the platform aims to contain threats with
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: