Microsoft previews automatic device isolation in Defender for Endpoint
Microsoft is previewing a new automatic device isolation capability in Defender for Endpoint’s auto attack disruption tool to help security pros contain cyber attacks in progress on their IT networks. The company announced the capability earlier this month in a column about new features in Defender. There’s no word on when automatic device isolation will be in full production. However, a new SANS Institute research paper warns that, in certain conditions, an attacker could leverage the new function to disable all user accounts. The lesson, said Johannes Ullrich, the institute’s dean of research, is that autonomous AI action tools have to be tuned and tested like any other automation capability. “Automatic isolation and attack disruption are not new concepts,” Ullrich said in an email, “but ideas like these have been used in the past in open source and commercial tools. This feature is most important in organizations with under-resourced IT security teams, as it automates attack respons