Isolating compromised endpoint

[paulo vulpes]

I’ve been tasked with figuring out a way to isolate an infected/compromised endpoint from the rest of the network. Is this a function that Kaspersky Security Center provides out of the box? I’ve currently achieved this by creating a new endpoint policy that uses the firewall component to whitelist all traffic between the endpoint and the server hosting Kaspersky Security Center followed by a second rule that blocks all other traffic inbound/outbound traffic. In this way the machine is cut off from the rest of the internal network and Internet except for our Kaspersky server. I then assign this policy to an empty group, and then place any compromised endpoints into this group to receive the policy.

I just wanted to see if there’s an easier/better way of achieving this goal.

[alexcad]

Using “Kaspersky Endpoint Detection and Response Optimum” is the easiest way to isolate endpoints. 

https://www.kaspersky.com/enterprise-security/edr-security-software-solution

 

It is integreated in KSC using the EndpointAgent wich comes with KES and KS4WS (v11 only). It’s recommended to use the latest versions (KSC12.2, KES11.4, KS4WS11).
With this solution you can also run IOC scans, detect and kill running tasks/processes, block execution of files, ...

Ask your kaspersky partner for further details.

Regards
Alex