Endpoint Isolation
What is Endpoint Isolation?
Endpoint IsolationAn EDR response action that severs a compromised host's network connectivity except to the security tooling, so attackers cannot move laterally while responders investigate.
Endpoint isolation — also called network containment, host quarantine, or host isolation — is a one-click response action exposed by modern EDR platforms (CrowdStrike Real Time Response, Microsoft Defender for Endpoint 'Isolate device', SentinelOne Network Isolation, Carbon Black Cb Live Response, Cortex XDR) that forces the kernel agent to drop or block all network traffic from the endpoint except to the management plane. This stops command-and-control beacons, ransomware encryption of file shares, and lateral movement immediately, giving the SOC time to investigate, collect forensic artefacts and remediate. Best practice ties isolation to playbooks in SOAR tools (Tines, XSOAR, Splunk SOAR), requires dual approval for production servers, and tests release procedures regularly so isolated machines can be safely returned to the network.
● Examples
- 01
CrowdStrike Real Time Response isolating an executive laptop within seconds of a Cobalt Strike beacon detection.
- 02
Microsoft Defender for Endpoint 'Isolate device' action triggered automatically by a SOAR playbook on confirmed ransomware behavior.
● Frequently asked questions
What is Endpoint Isolation?
An EDR response action that severs a compromised host's network connectivity except to the security tooling, so attackers cannot move laterally while responders investigate. It belongs to the Defense & Operations category of cybersecurity.
What does Endpoint Isolation mean?
An EDR response action that severs a compromised host's network connectivity except to the security tooling, so attackers cannot move laterally while responders investigate.
How does Endpoint Isolation work?
Endpoint isolation — also called network containment, host quarantine, or host isolation — is a one-click response action exposed by modern EDR platforms (CrowdStrike Real Time Response, Microsoft Defender for Endpoint 'Isolate device', SentinelOne Network Isolation, Carbon Black Cb Live Response, Cortex XDR) that forces the kernel agent to drop or block all network traffic from the endpoint except to the management plane. This stops command-and-control beacons, ransomware encryption of file shares, and lateral movement immediately, giving the SOC time to investigate, collect forensic artefacts and remediate. Best practice ties isolation to playbooks in SOAR tools (Tines, XSOAR, Splunk SOAR), requires dual approval for production servers, and tests release procedures regularly so isolated machines can be safely returned to the network.
How do you defend against Endpoint Isolation?
Defences for Endpoint Isolation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Endpoint Isolation?
Common alternative names include: Network containment, Host isolation, Host quarantine.
● Related terms
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 1254
XDR (Extended Detection and Response)
A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
- defense-ops№ 892
Quarantine (Endpoint)
An endpoint security action that moves a suspected-malicious file out of its original location into a controlled, neutered store so it cannot execute but can still be analyzed or restored.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.