Sophos Central -- Endpoint Isolation Documentation

1. Overview

Endpoint Isolation in Sophos Central is a security feature that allows administrators to immediately restrict a device's network communication. This functionality is typically used during security incidents, such as when a user has clicked on a malicious link, opened a suspicious attachment, or when suspicious activity has been detected.

Isolation ensures that the affected device: - Cannot communicate with other devices on the network - Cannot access the internet - Can only communicate with Sophos Central services

This allows IT administrators to investigate and remediate potential threats without risking lateral movement or data exfiltration.

2. When to Use Endpoint Isolation

Endpoint Isolation should be used in the following scenarios:

2.1 Phishing Incident

A user accidentally clicks on a malicious link or enters credentials on a phishing website.

2.2 Suspicious File Execution

A user downloads and runs an unknown executable file.

2.3 Active Malware Detection

Sophos detects suspicious behavior or malware but further investigation is required.

2.4 Suspected Lateral Movement

You suspect an attacker may attempt to spread within the network.

3. What Endpoint Isolation Does

When a device is isolated:

  • All inbound and outbound traffic is blocked.
  • Local network communication is blocked.
  • Internet access is blocked.
  • Communication with Sophos Central remains active.
  • Remote management via Sophos is still possible.

Important Notes:

  • The user can still log into the machine.
  • The device remains operational locally.
  • There is no automatic expiration timer.
  • Isolation must be manually removed.

4. How to Isolate an Endpoint in Sophos Central

Step-by-Step Procedure

  1. Log in to Sophos Central Admin.
  2. Navigate to Devices.
  3. Locate and select the affected endpoint.
  4. Click Actions.
  5. Select Isolate.
  6. Confirm the action.

The device will be isolated once it checks in with Sophos Central.

5. How to Remove Isolation

  1. Navigate to Devices.
  2. Select the isolated endpoint.
  3. Click Actions.
  4. Choose Remove Isolation.
  5. Confirm.

The device will regain normal network connectivity after policy synchronization.

6. Recommended 24-Hour Incident Response Procedure

When a malicious link is clicked, the following procedure is recommended:

Step 1 -- Immediate Isolation

Isolate the device immediately.

Step 2 -- Credential Assessment

  • Determine if credentials were entered.
  • If yes, reset the user's passwords.
  • Invalidate active sessions where applicable.

Step 3 -- Full System Scan

Run a full Sophos scan on the endpoint.

Step 4 -- Check Threat Logs

Review: - Threat Protection logs - Web Control logs - Firewall events - Intercept X alerts

Step 5 -- Browser and Persistence Review

  • Remove suspicious browser extensions.
  • Check startup programs.
  • Verify scheduled tasks.
  • Review installed programs.

Step 6 -- Network Review

Check firewall or SIEM logs for: - Suspicious outbound traffic - Command-and-control connections - Lateral movement attempts

Step 7 -- 24-Hour Monitoring

Keep the device isolated for up to 24 hours if necessary.

Step 8 -- Remove Isolation

Once confirmed clean, remove isolation.

7. Best Practices

  • Always isolate first, investigate second.
  • Document all actions taken.
  • Reset credentials when phishing is suspected.
  • Use Sophos Live Response (if licensed) for deeper analysis.
  • Inform the user about the temporary restriction.

8. Differences Between Isolation and Policy Tightening

Feature Endpoint Isolation Policy Hardening

Blocks all traffic Yes No Prevents lateral movement Yes Limited Temporary action Yes Usually permanent Used during incidents Yes Preventative

9. Logging and Auditing

All isolation actions are logged in Sophos Central under: - Audit Logs - Device History

Ensure documentation includes: - Time of isolation - Reason for isolation - Investigation results - Time of removal

10. Conclusion

Endpoint Isolation is a critical incident-response tool within Sophos Central. It provides immediate containment of potentially compromised devices and significantly reduces the risk of network-wide compromise.

Using a structured 24-hour response workflow ensures both security and operational continuity.

Getting Started
Powered by Nextra