An organization has a legacy system that cannot be patched due to vendor end-of-life. The system is critical for operations. Which compensating control is most appropriate to reduce the risk of exploitation?
Network isolation limits attack surface and is a common compensating control.
Why this answer
Network isolation (segmentation) limits the system's exposure to potential attackers. A WAF can protect web-facing systems, but isolation is broader.