Some days ago Microsoft unveiled through an announcement that added the device isolation support to Microsoft Defender for Endpoint (MDE) on embedded Linux devices.
It is worth mentioning that perhaps for many, this type of MS action is not a big deal, far from it, and I can certainly agree with you, but personally I found the news interesting, since for business environments and the like that are governed by low certain requirements and documentation above all, can have certain benefits and above all it is a small indirect grain of sand so that they can take Linux a little more into account, especially in those environments that are governed by the use of MS products.
On the subject, it is mentioned that now administrators can now manually isolate Linux machines enrolled through the Microsoft 365 Defender Portal or through API requests.
Once isolated, if any problem occurs, they will no longer have a connection to the infected system, cutting off its control and blocking malicious activities such as data theft. The Device Isolation feature is in public preview and reflects what the product already does for Windows systems.
“Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from gaining control of the compromised device and performing other activities, such as data exfiltration and lateral movement. Similar to Windows devices, this device isolation feature disconnects the compromised device from the network while maintaining connectivity to the Defender for Endpoint service, while continuing to monitor the device,” Microsoft explained. According to the software giant, when the device is sandboxed, it is restricted in the processes and web destinations that are allowed.
This means that if you are behind a full VPN tunnel, cloud services will not be reachable Microsoft Defender for Endpoint. Microsoft recommends that customers use a split tunnel VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus.
Once the situation that caused the isolation is resolved, they will be able to reconnect the device to the network. System isolation is done via API. Users can access the Linux systems devices page through the Microsoft 365 Defender portal, where they will see an “Isolate device” tab at the top right, among other options.
Microsoft has described the APIs to isolate the device and release it from the block.
Isolated devices can be reconnected to the network as soon as the threat has been mitigated via the “Release from isolation” button on the device page or a “non-isolated” HTTP API request. Linux devices that can use Microsoft Defender for Endpoint include Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu, Debian, SUSE Linux, Oracle Linux, Fedora Linux, and Amazon Web Services (AWS) Linux. This new feature on Linux systems mirrors an existing feature on Microsoft Windows systems.
For those unaware of Microsoft Defender for Endpoints, they should know that it ise is a command line product with anti-malware and endpoint detection and response features (EDR) designed to send all the threat information it detects to the Microsoft 365 Defender Portal.
Linux Device Isolation is the latest security feature that Microsoft has joined the cloud service. Earlier this month, company expanded Defender tamper protection for Endpoint to include antivirus exclusions. This is all part of a larger pattern of hardening Defender with an eye toward open source.
At its Ignite show in October 2022, Microsoft announced the integration of the open source network monitoring platform Zeek as part of Defender for Endpoint for deep packet inspection of network traffic.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.
Be the first to comment