Endpoint Isolation: A new feature of AIR that brings an investigation under your control

Currently in the DFIR world, when something suspicious is found during the investigation, it is mandatory to contact the firewall administrator or the relevant department to close the connections of the endpoint in order to prevent lateral movement to any other location or to prevent data leakage to the outside world.

Completing this isolation process takes time and can jeopardize your investigation.

How does Endpoint Isolation with Binalyze make this process a single click?

Binalyze AIR now contains the Endpoint Isolation feature that brings an investigation under the control of the Investigators / SOC Analyst teams by making it possible for them to disconnect any endpoint from the network immediately with one single click. In addition, since the communication with AIR continues, analysts can keep examining the isolated endpoint via the AIR Console. 

Start a free demo of Endpoint Isolation today.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Main advantages:

  1. AIR immediately isolates the machine from the network with a single click, a hard-to-find feature among digital forensic solutions. Normally firewalls or NAC devices are used for this purpose, with this feature Binalyze AIR shortens the process without contacting any other product or department.
  2. Isolated machines can be further examined by the DFIR investigators which lets them continue the investigation without any disturbance or interference.

How does Endpoint Isolation work?

  1. Open the endpoint dashboard on AIR and click on any connected endpoint. A sliding window will open and you will see the “Isolation” button in the upper right corner.
  1. Once you click on that button a warning pops up to check if you are sure about the isolation task, click “Yes” and you isolate the endpoint from the network. Now you can investigate the machine without any disruptions.

Presently, the Isolation feature is only available for Windows clients but in the coming releases, we will expand compatibility to other operating systems.

We will also be adding rules-based Endpoint Isolation to this feature in the coming weeks to remove the need for manual tasks and to integrate with any matches made during the Triage and Drone operations. 

Stay tuned for these updates as in 2 weeks we will be making another major feature release on the scale of 1.7.35 which you can read about here.

Make sure to follow us on Twitter to catch the latest updates from Binalyze.

Leave a Comment

Latest Articles