Sangfor EDR's Host Isolation

Jack0704 Lv1Posted 2024-Jul-08 12:57

I'm looking to clarify how Sangfor EDR handles host isolation in real-world scenarios. From what I understand, Sangfor EDR allows administrators to manually isolate endpoints if the endpoint is classified as compromised or at high risk after identification.

I'm seeking clarification on Sangfor EDR's capabilities for manually isolating endpoints, specifically for enforcing security posture compliance.

From the user manual, I understand Sangfor EDR can automatically isolate endpoints classified as compromised or at high risk after identification. However, I'd like to know if it's possible to manually isolate endpoints that do not meet minimum security posture requirements, identified through security compliance checks.

Can Sangfor EDR administrators manually initiate endpoint isolation for workstations that fail to meet minimum security posture requirements, even if they are not classified as compromised or at high risk? If so, what are the steps involved in this process?

What are the best practices for using Sangfor EDR to enforce security posture compliance through endpoint isolation? Are there specific settings or configurations administrators should be aware of when implementing this?

mdamores has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Prosi Lv3Posted 2024-Jul-09 11:56
  
Hi,

Enforcing security posture compliance through endpoint isolation using Sangfor EDR (Endpoint Detection and Response) involves several best practices to ensure effective and efficient security management, Key practices:
Define Clear Security
Automated Response
Granular Isolation Control
Integration with Network Security
Real-time Monitoring and Visibility
User Awareness and Notification
Periodic Review and Optimization
Incident Response Integration
Compliance Auditing and Reporting
Training and Skill Development
mdamores Posted 2024-Jul-09 13:07
  
Hi,

Sangfor EDR provides security features which includes endpoint isolation. Please see below:

1. Manual Endpoint Isolation:
   - administrators can manually isolate endpoints or workstations that don't meet security posture requirements by identifying non-compliant endpoints and isolating them from the network to prevent potential threats.

You may also refer below:
- Identify Non-Compliant Endpoints by using Sangfor EDR to assess endpoints against security posture criteria (e.g., missing patches, outdated AV definitions) and flagging endpoints that doesn't meet standard requirement.
- Isolate Endpoints thru Sangfor EDR console by locating the affected endpoints and initiate isolation (quarantine) for those endpoints to prevent them from communicating with other devices on the network.
- Remediation by notifying users or IT support about the isolation and remediate the non-compliance issues (e.g., update software, apply patches) then release the isolation once complied


2. Best Practices for Security Posture Compliance:
- Continuous Monitoring by regularly monitoring the endpoints for compliance and set up automated checks to identify deviations.
- Granular Policies by defining specific security posture requirements (e.g., patch levels, AV status) and create policies that trigger isolation when conditions aren't met.
- User Education by educating users about compliance requirements and explain the impact of non-compliance.
- Automated Remediation by integrating with patch management tools and automating remediation tasks (e.g., deploying patches).
- Testing and Validation by testing isolation procedures in a controlled environment and validate that endpoints can be safely isolated.
- Logging and Reporting by maintaining logs of compliance checks and isolation events and use reports to track trends and improvements.
Enrico Vanzetto Lv4Posted 2024-Jul-09 15:52
  
hi, we have an es appliance (local version on our datacenter) connected to a nsf-1100a on our headquarter (both of tem connected through a site-to-site ipsec vpn). we achieve this by connecting first the es appliance with sangfor nsf device. After that, we configure on es appliance the correlated block triggers, to achieve client isolation if something wrong happen on this client. This solution works only if the clients are connected locally on nsf. I can't figure out how to do only with es appliance yet.
Newbie290036 Posted 2024-Jul-09 17:55
  
Sangfor EDR allows administrators to manually initiate endpoint isolation for workstations that fail to meet minimum security posture requirements, even if they are not classified as compromised or at high risk. This capability ensures proactive enforcement of security compliance across the network. Administrators can configure security compliance policies within Sangfor EDR, specifying conditions that, when violated by an endpoint during automated compliance checks, trigger isolation. To enforce security posture compliance through isolation effectively, administrators should define clear policies aligned with organizational security standards, regularly review and update these policies as needed, and ensure that affected endpoints receive appropriate remediation steps to regain compliance swiftly. Configurations should be regularly monitored to maintain operational effectiveness and minimize disruption to business continuity.
pmateus Lv2Posted 2024-Jul-09 19:19
  
Hi,

The best practice are like Pre-Attack Preparation, Unified Endpoint Security Management, Detailed Isolation Policy, Real-Time Protection, Policy Configuration, Advanced Threat Response, Cloud Linkage and Coordination.
Zonger Lv5Posted 2024-Jul-09 23:04
  
Sangfor EDR Endpoint Isolation:

* Manually isolate endpoints that don't meet security posture requirements
* Use "Compliance Check" feature to define custom security policies and checklists
* Initiate isolation by sending a command to the endpoint
* Disconnect non-compliant endpoint from network and prevent further access
* Configure automatic isolation policies for missing patches, outdated antivirus, or unauthorized software
* Best practices: review and update checklists, configure automatic policies, and monitor compliance reports
jerome_itable Lv3Posted 2024-Jul-10 09:13
  
You're correct that Sangfor EDR offers both automatic and manual isolation for endpoints.
Here's a breakdown of your questions regarding manual isolation for security posture compliance:

Can Administrators Manually Isolate Endpoints Failing Compliance Checks?

Yes, Sangfor EDR allows administrators to manually isolate endpoints that don't meet minimum security posture requirements, even if not classified as high-risk or compromised. This helps enforce compliance by restricting network access for non-compliant devices.

Identify Non-Compliant Endpoints:

  Use security compliance reports or vulnerability scans within Sangfor EDR to identify workstations failing to meet minimum security posture requirements.

Select Endpoint for Isolation:  In the Sangfor EDR console, navigate to the specific endpoint details.

Initiate Isolation:  Look for an "Isolation" or "Quarantine" option within the endpoint details. Selecting this option should isolate the endpoint, restricting network access.

Best Practices for Compliance Enforcement with Isolation:

    Define Compliance Requirements: Clearly define minimum security posture requirements for your organization (e.g., updated antivirus, enabled firewall).
    Compliance Checks: Schedule regular vulnerability scans and leverage Sangfor EDR's compliance reporting features to identify non-compliant devices.
    Isolation Policies: Develop clear policies for when to isolate endpoints based on compliance failures. Consider the severity of non-compliance and potential impact.
    User Communication: Inform users about potential endpoint isolation for non-compliance and the steps to regain network access (e.g., patching vulnerabilities).
    Automation (Optional): While manual isolation offers flexibility, explore options for automating isolation based on pre-defined compliance rules within Sangfor EDR (if available).

Settings and Configurations:

    Administrator Permissions: Ensure administrators have the necessary permissions to initiate endpoint isolation within Sangfor EDR.
    Isolation Levels: Depending on the Sangfor EDR version, there might be different isolation levels (e.g., full network isolation or restricting internet access). Choose the appropriate level based on the compliance violation.
    Isolation Duration: Define a policy for how long endpoints remain isolated after failing compliance checks. This allows time for remediation while maintaining security.
Imran Tahir Lv4Posted 2024-Jul-10 13:38
  
In order to manually start endpoint isolation for workstations that do not fulfill minimal security posture requirements—even if they are not considered compromised or high-risk—administrators might use Sangfor EDR. Proactive enforcement of security compliance throughout the network is guaranteed by this feature. Within Sangfor EDR, administrators have the ability to set up security compliance policies. These policies describe conditions that, if broken by an endpoint during automated compliance checks, will result in isolation. Administrators should establish clear policies that are in line with organizational security standards, review and update them frequently, and make sure that affected endpoints receive the necessary remediation steps to quickly regain compliance in order to effectively enforce security posture compliance through isolation. To preserve operational efficacy and reduce interruptions to business continuity, configurations should be routinely reviewed.

I Can Help:

Change

Moderator on This Board

3
14
3

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

18
8
0

Started Topics

Followers

Follow

Trending Topics

Board Leaders