71% of human operated ransomware cases are initiated by an unmanaged device, usually internet facing, that is compromised and is then used to move laterally and compromise more devices. Starting today, when a device that is not enrolled in
Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.
While devices enrolled in Microsoft Defender for Endpoint can be
isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today, especially where:
- No Network Access Control enforcement means isolation of an IoT device requires physical access.
- Locating the device and its owner may take time.
- It takes time to close the loop between the SOC analyst identifying the threat and the network team/IT remediating the threat, meaning that in many cases the device may have already compromised others.
