Microsoft announced on Monday that it has added support for Microsoft Defender for Endpoint (MDE) device isolation on embedded Linux devices. Enterprise admins can now manually isolate enrolled Linux machines using the Microsoft 365 Defender Portal or via API requests. Once isolated, threat actors will no longer have a connection to the infected system, cutting off their control and blocking malicious activities like data theft. The device isolation feature is in public preview and reflects what the product already does for Windows systems.
Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing other activities such as data exfiltration and lateral movement. Similar to Windows devices, this device isolation feature disconnects the compromised device from the network while maintaining connectivity to the Defender for Endpoint service, while continuing to monitor the device, Microsoft explained. According to the Software Glove, when the device is isolated, it is restricted in the processes and web destinations that are allowed.
This means that if it’s behind a full VPN tunnel, it won’t be able to reach Microsoft’s Defender for Endpoint cloud services. Microsoft recommends that customers use split-tunnel VPN for low-cloud traffic for both Defender for Endpoint and Defender Antivirus. Once the situation causing the isolation is resolved, they can reconnect the device to the network. System isolation is done via APIs. Users can access the Linux systems device page through the Microsoft 365 Defender portal, where they will see an “Isolate device” tab in the top right among other options.
Microsoft has described APIs to both isolate the device and release it from lockdown. Isolated devices can be reconnected to the network as soon as the threat has been mitigated using the “Release from isolation” button on the device page or a “unisolate” HTTP API request. Linux devices that can use Microsoft Defender for Endpoint include Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu, Debian, SUSE Linux, Oracle Linux, Fedora Linux, and Amazon Web Services (AWS) Linux. This new feature on Linux systems mirrors an existing feature on Microsoft Windows systems.
On Linux endpoints, Microsoft Defender for Endpoint is a command-line product with anti-malware and endpoint detection and response (EDR) capabilities designed to send all information regarding the threats it detects to the Microsoft 365 Defender Portal. According to the Redmond firm, administrators with a Microsoft Defender for Endpoint subscription can deploy and configure it on Linux devices manually or using Puppet, Ansible and Chef configuration management tools.
Linux Device Isolation is the latest security feature that Microsoft has recently integrated into the cloud service. Earlier this month, the company expanded tamper protection for Defender for Endpoint to include antivirus exclusions. This is all part of a larger model of strengthening Defender with an eye on open source. At its Ignite show in October 2022, Microsoft announced the integration of open-source network monitoring platform Zeek as part of Defender for Endpoint for deep packet inspection of network traffic.
Also at the event, Redmond discussed new capabilities aimed at enabling security operations teams to detect command and control (C2) attacks earlier, allowing them to limit the spread of damage and suppress malicious binaries. This new feature also comes following updates to Defender for Endpoint caused panic among security professionals – on Friday the 13th – by inadvertently removing icons and application shortcuts from the desktop, taskbar and from the Start menu in Windows 10 and 11 systems.
Microsoft fixed the problem, but users ended up with permanently deleted files. Note that the enterprise endpoint security solution was made generally available for Linux and Android in June 2020 following entering public preview in February 2020, with support for several distributed versions of Linux servers. Two years ago, Microsoft announced the addition of live response capabilities for Linux devices in Microsoft Defender for Endpoint and included support for identifying and assessing security configurations for Linux devices on enterprise networks.
Source : Microsoft
And you?
What is your opinion on the subject?
See as well
