Questions regarding Endpoint Policies Device Isolation Settings. Need some clarification and if anyone out there is using this settings
The description states for Device Isolation - Allow computers to isolate themselves on red health
So device isolation is meant to prevent lateral movement of malware through an environment. Red Health means an active threat on the machine.
This means that a detection has occurred and the endpoint…
A computer not updated with the latest version i.e. failed update would be a yellow health state so it would not self-isolate.
It might be helpful to have a non-isolate Threat Protection policy that was cloned from your original policy. You can move computers in and out of this policy in emergency situations to clear the isolation if needed without addressing the cause.
This means that a detection has occurred and the endpoint software has been unable to remediate it. So, to prevent it from spreading, we turn on a block all traffic except to specific locations (Sophos Central and the items you put in the exclusions for Isolation) so any malware can't infect other nodes. Think of it like a portcullis slamming down keeping the invader stuck in the gatehouse.
Once the machine goes out of Red Health (the threat is no longer active) the portcullis is raised. This will happen either by the active malicious process terminating, the endpoint remediating the threat, or an admin rdp in (if you have allowed RDP in the isolation elements - if you do only allow it from specific IT controlled machines to limit exposure) and fixes the issue.
The idea for this feature is that it is an emergency safeguard so if you are going to use it - turn it on as default and understand you are taking the security posture of - I don't want things spreading through my network and I want to inspect when issues crop up. A better safe than sorry attitude.
I hope this helps.
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thank you all for the insight...much appreciated!!!!