Join the roundtable event on Microsoft Security in London - spaces limited

Register Now
Close Notice

Your guide to Microsoft Defender External Attack Surface Management (EASM)

Posted : 24 November 2022

Posted In : Blogs

Hero-Discovery-e1669631509593

Microsoft released Defender External Attack Surface Management (EASM) a few months ago based on the EASM purchased from RISKIQ last year. This new security solution from Microsoft will help organisations understand their external attack surface. EASM allows organisations to see what potential external parties can see natively from outside the organisation. This is one of the areas that was lacking from the pre-existing attack surface management interface.

Previously, Microsoft only had Defender for Cloud, which looks after the Azure environment and Defender for Endpoint/IoT, which protects an organisation’s internal endpoints by looking for vulnerabilities and threats, but there was nothing in place to monitor unknown external resources and vulnerabilities that an organisation had.

HOW IT WORKS
The EASM process relies on Microsoft’s proprietary discovery technology to continuously define your organisation’s unique Internet-exposed attack surface.

Starting with a seed, the system then identifies associations with other online infrastructure to discover external assets owned by your organisation; this process ultimately creates your attack surface inventory. The discovery process uses the seeds as the central nodes and spiders outward towards the periphery of your attack surface by identifying all the infrastructure directly connected to the seed, and then identifying all the things related to each of the things in the first set of connections, etc. This process continues until we reach the edge of what your organisation is responsible for managing.

For example, to discover Softwerx infrastructure, you might use the domain, softwerx.com, as the initial keystone seed. Starting with this seed, Microsoft could consult DNS Records, and WHO Is records. ASN Records.

INITIAL SET UP & DISCOVERY
Setting up EASM can be done from the Azure Portal, and you get a 30-day free trial before being charged for any resources.

Once created, you can view the setup discovery. Microsoft has created seed templates for several types of larger organisations which can be imported, but most organisations will define their own seeds. Predefined seeds cannot be edited so although it is a quick way to see what is known about your organisation, I recommended that you create a custom discovery with all your information defined to make the best use of the platform.

Areas to define are:

Here is a breakdown of the main configurations of the platform:

Domains
Domains are the areas you want to be covered like example.com. You can define which domains and subdomains to include and exclude.

IP Blocks
Define the IP ranges you want to include or exclude.

Hosts
Define specific hosts like www.example.com.

Email Contacts
Email contacts for your domain or assets.

ASN’s – Autonomous System Number
This can be added or will be discovered if unknown.

Whois Organizations
Enter any Whois details that are under the organisation’s control.

Once completed, the discovery will be undertaken and run between 24 and 72 hours. Tip: We recommend that the scanning frequency is set to weekly.

RECURSIVE SEARCH DISCOVERY
Once the discovery phase is completed, Using this set of first-level connections, Microsoft can quickly derive an entirely new set of assets to investigate. Before performing additional recursions, Microsoft determines whether a connection is strong enough for a discovered entity to be automatically added to your Confirmed Inventory. For each of these assets, the discovery system runs automated, recursive searches based on all available attributes to find second-level and third-level connections. This repetitive process provides more information on your organisation’s online infrastructure and finds disparate assets that may not have been discovered and subsequently monitored otherwise.

THE EASM PORTAL
Once the Asset discovery process has been completed you can then access a master dashboard showing you an overview of the assets discovered.

From the portal, you can also view an inventory of all the discovered assets and each one of these can be investigated.

ASSET MANAGEMENT
Details of the asset can be viewed including any CVE exposures. If the asset does not belong to the organisation or has been retired then it can be removed from the inventory.

Each Asset can have 5 stages – Approved Inventory, Dependency, Monitor Only, Candidate, Requires Investigation and are defined by Microsoft as follows:

State name Description
Approved Inventory A part of your owned attack surface; an item that you are directly responsible for.
Dependency Infrastructure that is owned by a third party but is part of your attack surface because it directly supports the operation of your owned assets. For example, you might depend on an IT provider to host your web content. While the domain, hostname, and pages would be part of your “Approved Inventory,” you may wish to treat the IP Address running the host as a “Dependency.”
Monitor Only An asset that is relevant to your attack surface but is neither directly controlled nor a technical dependency. For example, independent franchisees or assets belonging to related companies might be labelled as “Monitor Only” rather than “Approved Inventory” to separate the groups for reporting purposes.
Candidate An asset that has some relationship to your organization’s known seed assets but does not have a strong enough connection to immediately label it as “Approved Inventory.” These candidate assets must be manually reviewed to determine ownership.
Requires Investigation A state similar to the “Candidate” states, but this value is applied to assets that require manual investigation to validate. This is determined based on internally generated confidence scores that assess the strength of detected connections between assets. It does not indicate the infrastructure’s exact relationship to the organisation as much as it denotes that this asset has been flagged as requiring additional review to determine how it should be categorized.

These asset states are uniquely processed and monitored to ensure that customers by default have clear visibility into the most critical assets. For instance, “Approved Inventory” assets are always represented in dashboard charts and are scanned daily to ensure data recency. All other kinds of assets are not included in dashboard charts by default; however, users can adjust their inventory filters to view assets in different states as needed. Similarly, “Candidate” assets are only scanned during the discovery process; it’s important to review these assets and change their state to “Approved Inventory” if they are owned by your organisation.

ADDITIONAL DASHBOARDS
Attack Surface Summary: this dashboard summarises the key observations derived from your inventory

Security Posture: this dashboard helps you understand the maturity and complexity of the security program based on the metadata derived from assets in your confirmed Inventory.

GDPR Compliance: this dashboard surfaces key areas of compliance risk based on the General Data Protection Regulation (GDPR) requirements for online infrastructure.

OWASP Top 10: This dashboard surfaces any assets that are vulnerable according to OWASP’s list of the most critical web application security risks.

PRICING
At the time of writing this blog, the pricing for EASM is about £0.01 per resource per day as can be seen via the Azure Cost Calculator which is very cost-effective for most organisations, as for larger organisations we assume some volume discount may apply in the future.

SUMMARY
MS-EASM is another tool for organisations to help understand and reduce their external risks. I see it as essential since it helps identify potential exposure that your organisation was not already aware of. Microsoft has made it easy to configure and cost effective to use on a free trial for 30 days to show the value. More importantly, for a relatively low cost, it can save your organisation from risks like an unpatched application or open port that allows criminals into your organisation by identifying it before they do.

References:
Microsoft. (2022), Defender EASM Overview (microsoft.com)

Search insights

Share this insight

Related insights

Getting started with us couldn’t be easier.

Just use the form or call us on +44 (0) 1223 834 333 to set up a call.

Sign up for our monthly Security Decoded newsletter