Share on:

When threat actors gain a foothold on an endpoint, security teams need to act fast to resolve the problem. One of the most efficient methods of threat defense is endpoint isolation, a practice where all traffic to and from an infected endpoint is halted. This approach is very effective for threat defense, especially because it prevents the infection from spreading throughout the corporate network. 

What Is Endpoint Isolation? 

Endpoint isolation is, in simple terms, the act of cutting off all traffic to and from an infected computer. When an active malware infection is detected, the affected computer is quarantined from the rest of the network. By isolating the infected endpoint, security teams interrupt attack chains and prevent lateral movement and propagation of attacks. 

Isolating an infected endpoint is a very effective method of threat defense. Cutting off network traffic to or from the affected system essentially “starves” any malware on the system. Malware can’t reach out to any command and control servers, and thus the attack chain is interrupted. As a result, security teams gain time to respond to the infection and perform remediation tasks.

In general, there are three types of endpoint isolation: 

  • Network isolation – Restricts which processes can communicate from the endpoint. This means that a process will no longer be able to connect to the internet when it runs. 
  • Process isolation – Restricts which processes start, run, and function on the endpoint. This form of isolation prevents affected processes from initiating and/or continuing to function if they’re already running when it’s put in place. 
  • Desktop isolation – Immediately halts further interaction from the endpoint. This means the endpoint is completely locked down and end-users can’t use the machine any longer. 

These different types of isolation might seem like they’re on different tiers of security. The argument could be made that immediately halting further interaction with desktop isolation is more severe than restricting communication from the endpoint. The reality is that all of these may be used at the same time or used individually. It’s not like the DEFCON scale in the United States military where different actions happen as the scale becomes more severe. 

Endpoint Isolation Use Cases

There are a few use cases for isolating endpoints. One of the main ones is to prevent lateral movement. When an endpoint is isolated, the malware infecting it can’t move from system to system. Preventing lateral movement through the network ensures that threat actors can’t achieve their goal, whether that is encryption and exfiltration, credential theft, or something else. Isolating the endpoint also means that command and control servers can’t receive communication from the infection, which could result in malware sitting dormant on the initial endpoint

Incident response is also streamlined with endpoint isolation. When the endpoint is isolated, incident responders can more effectively research the infection and resolve any lingering issues. They also have more time for digital forensics to identify the source and type of infection. Ultimately, isolating the endpoint enables DFIR teams with more flexibility. 

The ability to isolate endpoints also reduces the attack surface. If endpoints are isolated, or this can be done easily, then the external attack surface can be readily limited. This overall reduces the risk of the enterprise experiencing an attack because of the smaller attack surface overall. 

Endpoint Isolation Best Practices

Effective endpoint isolation requires a solution built to cut off communication at will from infected endpoints. To start with, however, security teams need to understand the exact number of endpoints they’re working with, as well as what operating systems are deployed. Defining those critical endpoints gives security teams a richer picture of their environment. 

Endpoint isolation needs to be centrally managed. It’s not something that end users should have access to, but rather that either security teams would manually turn on or automated through the use of security policies. This dual approach means that security teams will have greater control over isolation in practice. 

Similarly, firewalls need to be configured to work in concert with endpoint isolation systems. Windows Firewall with the right policies and controls in place can serve as part of a core isolation practices. With the right set up on Windows Firewall, endpoints can be isolated when firewall policies are tripped. 

How Blumira Isolates Endpoints

Secure work-from-home employee devices with Blumira Agent: easy-to-use endpoint security designed for SMBs. Blumira Agent collects remote Windows endpoint logs, sending them directly to Blumira’s platform for analysis, detection and threat response. Blumira provides visibility into your entire network to identify attacker activity early so small IT teams can quickly isolate devices, containing threats like ransomware to prevent a data breach. Get a personalized walkthrough on how Blumira Agent can help your organization.

Try Blumira Agent

Security news and stories right to your inbox!