Device Isolation Settings Questions

Question

Hello All, 
 Questions regarding Endpoint Policies Device Isolation Settings. Need some clarification and if anyone out there is using this settings 
 The description states for Device Isolation - Allow computers to isolate themselves on red health 
 
 Note: If a computer has red health, it will isolate itself from the network. It will still communicate with Sophos Central.

1. Does that mean if the computer is not updated with the latest version will the device auto isolate? 
 2. This seems like it would be a pain in the butt if you have many nodes. I'm guessing users will call and say I cant get email or access the internet 
 because the agent is not updated 
 3. Does anyone use this feature at all and how does it affect your day to day support of many nodes 
 
 Thoughts on this ...thanks

RichardP · Answer

Hi 
 So device isolation is meant to prevent lateral movement of malware through an environment. Red Health means an active threat on the machine. 
 This means that a detection has occurred and the endpoint software has been unable to remediate it. So, to prevent it from spreading, we turn on a block all traffic except to specific locations (Sophos Central and the items you put in the exclusions for Isolation) so any malware can't infect other nodes. Think of it like a portcullis slamming down keeping the invader stuck in the gatehouse. 
 Once the machine goes out of Red Health (the threat is no longer active) the portcullis is raised. This will happen either by the active malicious process terminating, the endpoint remediating the threat, or an admin rdp in (if you have allowed RDP in the isolation elements - if you do only allow it from specific IT controlled machines to limit exposure) and fixes the issue. 
 The idea for this feature is that it is an emergency safeguard so if you are going to use it - turn it on as default and understand you are taking the security posture of - I don't want things spreading through my network and I want to inspect when issues crop up. A better safe than sorry attitude. 
 
 I hope this helps.

Device Isolation Settings Questions

Top Replies