Best Practices for Quarantining a Device with VMware Carbon Black Cloud
What is Quarantining?
When quarantining an endpoint or workload, which has the Carbon Black Cloud sensor enabled, suspicious activity and malware is prevented from affecting the rest of the network. Endpoints and workloads remain in quarantine until it is removed from the quarantined state.
When should you quarantine a device?
Quarantining devices when using an endpoint protection solution is an important aspect of network security, but it should be done with care to avoid disrupting legitimate users and critical systems. Here are some best practices for determining when to isolate machines from the network using the quarantine function:
- Alert Severity: Alert severity is a crucial factor to consider. Define clear criteria for different alert levels (e.g., low, medium, high, critical) based on the risk they pose to the network. Devices triggering high or critical alerts may need to be immediately quarantined to prevent potential damage.
- Known Malware/Vulnerabilities: If the security solution identifies a device infected with known malware or a vulnerability that is actively being exploited, it should be isolated promptly to prevent further spreading and potential data breaches.
- Anomalous Behavior: Unusual or suspicious behavior patterns, such as repeated failed login attempts, unauthorized access, or data exfiltration, can indicate potential threats. Quarantining devices exhibiting such behavior can help contain the threat until further investigation.
- Abnormal Network Traffic: Devices generating abnormal network traffic, such as large-scale data transfers or communication with blacklisted IP addresses, should be subject to immediate quarantine until the cause of the unusual activity is determined.
- Compromised Credentials: If there is evidence of compromised user credentials, the associated devices should be isolated to prevent unauthorized access to sensitive resources.
- Patch/Vulnerability Management: Devices that haven't been updated with the latest security patches and are susceptible to known vulnerabilities should be isolated until they can be patched and deemed secure.
- Quarantine Duration: Define a specific time for quarantine based on the nature of the threat and the risk it poses. Shorter quarantine durations may be appropriate for less severe threats, while more severe threats might require longer isolation periods.
- Automation and Human Review: Consider using automation to trigger immediate quarantine for severe threats but have a process in place for human review. A security analyst should evaluate the circumstances and verify the alert before deciding to keep the device in quarantine or release it.
- Communication: Establish clear communication channels and procedures to inform affected users about the quarantine, the reason behind it, and the steps they should take to remediate the issue.
- Logs and Documentation: Ensure that all quarantine events are properly logged and documented. This information will be valuable for post-incident analysis and reporting.
What happens when a device is placed in quarantine?
- The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the VMware Carbon Black Cloud Console
- Devices will still be able to check in with the VMware Carbon Black Cloud Console for device status changes. i.e., Switch from Quarantine to Active
Remote Investigation/Remediation Tools
- Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the VMware Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network.
Additional technical information can be found HERE.
Remember that implementing a quarantine function requires a well-thought-out strategy, and the decision to isolate a device should be based on a combination of automated alerts and human expertise. Regular reviews and updates to the quarantine criteria are also essential to adapt to new and evolving security threats.
To understand the steps involved when using the VMware Carbon Black Clouds’ quarantine feature please visit the VMware Carbon Black Community page.
Additional details on actions you can take on endpoints and workloads can be found on our VMware Docs.