Introduction into Microsoft Defender EASM (External Attack Surface Management)
Microsoft Defender EASM (External Attack Surface Management) is a new product in the Microsoft Defender family to provide and external multi-cloud (SaaS, PaaS & IaaS/on-premises) view of the attack surface of the online (internet-exposed) assets (known and unknown).
The following assets are available in Microsoft Defender EASM:
- Domains (e.g. contoso.org) &| hosts (e.g. storageaccount.contoso.org) &| webpages (e.g. www.contoso.org)
- IP-address (e.g. 220.127.116.11) &| IP-blocks (e.g. 18.104.22.168/16)
- WHOIS registrant (e.g. email@example.com)
- ASNs (Autonomous System Numbers e.g. 3598)
- SSL Certificates
On a personal note: because EASM can also be abused by people with bad intensions, I had rather seen that only companies or assets can be added on a with proof of ownership (e.g. custom domains in Azure AD or add TXT or CNAME record in the DNS for the Domain asset).
Known assets (seeds) discover connected (known and/or unknown) assets to built-up the attack surface. The example above is where the seed is a domain and the others assets (host and IP-address/block) are discovered via the initial seed.
The cost of Microsoft Defender EASM (after the 30 day free trial) is $0.011 asset/day.
The setup of Microsoft Defender EASM is an initial setup of the instance and the search or creation of the attack surface(s) discovery group.
1) Create an EASM Instance
Open the Azure portal and search for Microsoft Defender EASM.
The creation of the Microsoft Defender EASM instancerequires the following information (one or more instances can be created).
- Subscription & Resource group (requires the Contributor role)
- Instance Name
- Region (EASM is only available, at the time of writing, in the following regions: South Central US, West US 3, East US, East Asia, Sweden Central, Australia East, Japan East)
2) Search or create an attack surface
A (default) discovery group and seeds (initial assets) are required to create an inventory of internet connected assets to discover the attack surface for known and unknown assets. Search for a pre-built attack surface, if available start attack surface discovery.
If a pre-built attack surface is not available, create a custom attack surface.
Select Create a custom attack surface and enter the known assets (seeds).
Disclaimer: the discovery process takes 24–48 hours to complete.
A known asset (seed) is scanned with the Microsoft Security Graph and repeatedly inspected for associations with other (unknown) assets to ultimately create the attack surface inventory. Final step of the built process is pull other datasets for detailing and analysis.
Once the discovery process has completed, an inventory is available to provide an overview of all discovered assets.
Each asset has one of the following States:
- approved is part of the attack surface (owned asset)
- dependency is part of the attack surface (third party asset)
- monitor only relevant asset but not directly owned not a technical dependancy
- candidate & requires investigation requires manual validation / approval to change the state to approved
Microsoft Defender EASM provides four dashboards:
Attack Surface Summary
The Attack Surface Summary dashboards provides key insights and high level overview of the impacted core assets of the attack surface (example below is Microsoft).
The Security Posture dashboard is a measurement of the maturity and complexity of the organization’s security program impacted assets (example below is Microsoft).
- CVE exposure (web site vulnerabilities)
- Domains administration (WHOIS)
- Hosting and networking (ASN information)
- Domains configuration (domain name status codes)
- Open ports (114 ports are scanned on a weekly basis)
- SSL configuration (e.g. expiration or outdated algorithms)
The GDPR (European Privacy Law) Compliance dashboard presents an analysis of compliance related to GDPR on webpage assets (SSL certificates information) and PII (login- and cookie -compliance) data (example below is Microsoft).
OWASP Top 10
The OWASP Top 10 dashboard provides an overview of impacted webpage assets vulnerable to the OWASP criticial web application security risks.
Integration with XDR & SIEM
Details of the integration with Microsoft Sentinel (SIEM), Microsoft 365 Defender (XDR) and Microsoft Defender for Cloud (XDR) are not available at the time of writing.
Personally I really like the new Micosoft Defender External Attack Surface Management and will definitely advise it to all my customers (and our internal Red Team :-)). See Overview Microsoft Docs for detailed information.