71% of human operated ransomware cases are initiated by an unmanaged device, usually internet facing, that is compromised and is then used to move laterally and compromise more devices. Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.
While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today, especially where:
Microsoft has made significant efforts to create visibility into devices that are unknown to the organization, https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating... and we’re happy to announce that we have added a new response action, that provides the ability to “Contain” devices that are not enrolled.
Fig. A – Contain device option in the device response action menu.
Fig. B – Illustration of enrolled Microsoft Defender for Endpoint devices blocking communication to/from an unmanaged device.
Note: Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block “contained” devices at this time. Please stay tuned as we continue to build out additional platform support for this feature in the future.
Additional information on how the Contain feature works:
How to get started?
For detailed information on this capability, please visit our documentation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.