Microsoft Security Exposure Management #XSPM

Derk van der Woude
6 min readMar 13, 2024

--

Microsoft Security Exposure Management is a new Microsoft Security product in the Threat prevention layer of cybersecurity to provide insights aligned with the business objectives of the organization.

Each company has different business objectives related to Cybersecurity (protection of the critical assets aka crown jewels); e.g. the secret recipe from Coca Cola, the webshop of Amazon, the payment (SWIFT) system from the Bank of America, etc.

Prevention (XSPM) is always better than the cure (XDR)

First let’s start with the question: what is exposure management?
Where posture- and/or vulnerability management discover vulnerable assets within the organization, exposure management adds exposure and business assets to the process of identifying, assessing, and addressing risks against cybersecurity threats and risks associated with exposed critica digital assets (crown jewels).

Disclaimer: Microsoft Defender CSPM has a feature called attack paths which is an early version of exposure management.

Microsoft Vulnerabilty and/or Posture Management solutions

Microsoft’s current approach to posture and/or vulnerability mangement is technical and product-based with one or more Security products for an asset domain like (Microsoft 365 & Azure) Secure Score, MDVM (Microsoft Defender Vulnerability Mamangement), CSPM (Cloud Security Posture Management), Defender EASM (External Attack Surface Management), etc.

Defender EASM is the outcome of the RiskIQ acquisition as the first step towards exposure management (Microsoft Defender Threat Intelligence #MDTI was the other product from the RiskIQ acquisition).

Microsoft Security Exposure Management

Microsoft Security Exposure Managent is the evolution of vulnerability (Microsoft 365) and/or posture (multi-cloud; e.g. Azure) management leverages all available Posture and/or Vulnerability Management products and adds exposure and critical assets (crown jewels) to the process.

XSPM (eXtended Security Posture Management) is a term often used in exposure management.

XSPM for Threat prevention is what XDR is for Threat detection and respond.

Microsoft Security Exposure Management is designed to help businesses identify their most critical assets (crown jewels) and their exposure to cyber threats, assess the level of risk each cyber threat poses to the organisation and provide recommendations to mitigate and lower the cybersecurity risks.

Overview

The start page of the Exposure Management portal provides an overview of

Overview
  • Assets; overview of all exposed assets
  • Key initiatives; cybersecurity threat risk score
  • Top metrics; security configuration risk score
  • Recent security events; overview of configuration changes
  • Critical asset summary, overview of critical assets (crown jewels)

Attack surface

The Attack surface section is a graphical presentation of the environment (# of assets and potential attack paths) divided in a map and attack paths view.

Map

Map is the grapical (over)view of the environment; asset types (categorized in Devices, Identities and Cloud resources) and the numbers of exposed assets including the number of critical assets (crown juwels).

Attack Surface | Map

Critical assets can be configured in the Settings page of Microsoft Defender XDR | Critical asset management (e.g. Global Administrator group or a Domain Controller server)

Critical assets classification is also available in the Device section of the Microsoft Defender XDR portal.

Device | Classify Critical assets

Attack paths

Attack paths is a graphical view of potential attack paths that attackers could abuse by exploiting vulnerable assets targeting (privilege escalation & lateral movement techniques) critical assets (crown jewels).

Attack surface | Attack paths | Crown jewels

It provides an overview per Entry point type (e.g. Device with high severity vulnerability) towards Target type (e.g. User, Group or Device in Entra ID or Active Directory).

Attack surface | Attack paths

Attack paths centralizes the view and combines old and new Defender technology:

  • Microsoft Defender for Identity; Lateral Movement Paths (LMP)
  • Microsoft Defender for Endpoint; Internet Connected (via EASM)
  • Defender CSPM; Attack Paths

Exposure insights

The Exposure insights section are risk scored initiatives (cybersecurity threats) consisting of one or more metrics (statistics of security configuration) including recommendations (security settings) to mitigate the potential risk(s) with events for daily overview of changes.

Initiatives

Initiatives are scored (protection against …) cybersecurity threats.

Initiatives | Domain

Initiatives are categorized in Domain (Techniques like Business Email Compromise, Ransomware, etc.) and Threat articles from the Microsoft Research team like the MDTI (Microsoft Defender Threat Intelligence) threat articles about Advanced Persistent Threats aka APTs.

Initiatives | Threat articles

For example the Ransomware (scope devices) initiative consists of Entra ID and Defender for Endpoint configuration settings (metrics) while the Business Email Compromise (unauthorized access to Mailbox) initiative consists of Entra Id and Defender for Office 365 configuration settings (metrics)

Cloud Security initiative

Some initiatives requires add-on Security products like Defender CSPM for the Cloud Security initiative and Defender EASM for the External Attack Surface Mangement initiative.

Metrics

Metrics are configuration items scored by completeness.
For example: % of users without multifactor authentication (MFA) enabled measures the number of Entra ID users with and without MFA enabled via Security defaults or Conditional Access.

The initiative below is the Business Email Compromise including 7 metrics.

Business Email Compromise Initiative and related Metrics

Recommendations

The Recommendations section are security recommendations (remediation steps) to increase the metric and initiative score and lower the security risk.

Exposure insights | Recommendations

For example the configuration of Phishing-resistant MFA strength includes the new Authentication strength option to only phishing-resistant MFA methods like FIDO2 (Passkey), Windows Hello for Business and Certificate-based Authentication.

Phishing-resistant MFA recommendation steps

This Conditional Access policy protects against token (session token or cookie) compromise via AiTM (Adversary in The Middle) attacks with EvilGinx.

Event

The Event section provides a trendline (daily % in- or decrease of initiative or metric score) of configured security settings from the security recommendations list calculated in percentages (in- or decrease).

Exposure insights | Event

For example if we disable Tamper protection in Microsoft Defender XDR, we will see a decrease in the metric % of endpoints without tamper protection enabled which is part of the Ransomware protection initiative.

metric example

Secure Score

The (Microsoft 365) Secure Score section is the ‘original’ Microsoft Secure Score overview per asset (product) type (Identity, Devices, Apps & Data) moved from the Home section to the Exposure management.

Data connectors

The Data connectors section is the configuration to connect non-Microsoft products (e.g. Nessus?, Qualys, Rapid7, etc.) to enrich and centralize the exposure management product views (work in progress).

I hope you enjoyed reading my blog and got more insights on this new Security product and keep in mind the version is Public preview so more development in the coming months and years to come.

--

--