Jump to content
  • Microsoft Defender can now isolate compromised Linux endpoints

    alf9872000

    • 483 views
    • 2 minutes
     Share


    • 483 views
    • 2 minutes

    Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint (MDE) on onboarded Linux devices.

     

    Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requests.

     

    Once isolated, threat actors will no longer have a connection to the breached system, cutting off their control and blocking malicious activity like data theft.

     

    "Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement," Microsoft explained.

     

    "Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device."

     

    Isolated devices can be reconnected to the network as soon as the threat has been mitigated using the "Release from isolation" button on the device page or an 'unisolate' HTTP API request.

     

    This new feature is supported on all MDE Linux-supported distros listed on the System requirements page.

     

    Linux%20device%20isolation%20via%20M_365

    Linux device isolation via M365 Defender portal (Microsoft)

     

    On Linux endpoints, Microsoft Defender for Endpoint is a command-line product with antimalware and EDR (endpoint detection and response) capabilities designed to send all threat info it detects to the Microsoft 365 Defender portal.

     

    Admins with MDE subscriptions can deploy and configure it on Linux devices manually or with the help of Puppet, Ansible, and the Chef configuration management tools.

     

    The enterprise endpoint security solution was made generally available for Linux and Android in June 2020 after entering public preview in February 2020, with support for several Linux server distributed versions.

     

    Two years ago, Microsoft also announced the addition of live response capabilities for Linux devices in Microsoft Defender for Endpoint and included support for identifying and assessing the security configurations of Linux devices on enterprise networks.

     

    The same year, MDE's endpoint detection and response (EDR) capabilities were also made generally available on Linux servers following a public preview stage that started in November 2020.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...