Does your organization automatically transfer compromised endpoints to a remediation VLAN for isolation and remediation?
Explanation
Automatically moving compromised endpoints to a separate remediation VLAN helps contain potential security incidents by isolating the affected device from the rest of the network.
This prevents lateral movement by attackers and limits the spread of malware while allowing security teams to safely investigate and remediate the issue without disrupting normal network operations.
The system should be able to identify compromised endpoints through security monitoring tools and automatically trigger the VLAN transfer without manual intervention.
Evidence could include network architecture diagrams showing the remediation VLAN configuration, documentation of the automated detection and transfer process, logs demonstrating successful isolation of compromised endpoints, and screenshots of the network access control system that enforces the VLAN transfers.
Implementation Example
Automatically transfer compromised endpoints to a remediation virtual local area network (VLAN)
ID: RS.MI-01.342
Context
- Function
- RS: RESPOND
- Category
- RS.MI: Incident Mitigation
- Sub-Category
- Incidents are contained
Related questions
- Do your cybersecurity technologies and security features in other systems automatically perform containment actions when threats are detected?
- Does your incident response process allow responders to manually select and execute containment actions during security incidents?
- Does your organization have formal agreements with third parties (e.g., ISPs, MSSPs) authorizing them to perform containment actions during security incidents?
- Does your organization implement automated eradication capabilities within cybersecurity technologies and security features of other technologies?
- Does your incident response system allow authorized responders to manually select and execute eradication actions during security incidents?
- Does your organization have formal agreements in place with third-party security providers to perform incident eradication actions on your behalf?

