Microsoft Defender EASM – for vulnerability monitoring. Today, IT departments manage a vast array of digital services hosted in various vendors’ cloud services, not to mention their own local systems that must be provided for their organization, meeting the demands of today’s hybrid work.
In many organizations, systematic continuous development and monitoring are carried out in the realm of Microsoft’s cloud services, as well as for their internal network and its services. However, especially in small and medium-sized organizations, the investigation of security weaknesses and risks in services accessible from the external network has been somewhat neglected. The costs of external network vulnerability scanning services have partly contributed to the lack of investigations. But could there be a lightweight solution that wouldn’t be daunting in terms of pricing?
Microsoft Defender EASM solution
A couple of years ago, Microsoft introduced the Microsoft Defender External Attack Surface Management product for detecting and managing external vulnerabilities, abbreviated as EASM. The product is based on the RiskIQ product, which Microsoft acquired through a corporate acquisition.
With EASM, organizations can monitor and observe the state of their external attack surface. The tool identifies potential vulnerabilities from the perspective of the external network, provides alerts and risk assessments in the EASM management portal. The service identifies among other things open ports, application vulnerabilities, the status of certificates, and information on potentially exposed personal data (PII).
How to get started with the service?
The EASM service is activated from the Azure cloud service, so an Azure subscription is required as a prerequisite. Pricing is based on the number of asset types brought in during the discovery function of the service. The price per asset type is €0.010/day. Asset types are IP addresses or domains that the organization has approved in its inventory in the service. The pricing can be considered quite moderate. A 30-day free trial is also available, after which it automatically transitions to monthly billing from the Azure subscription.
The actual monitoring of the external attack surface begins by enabling the discovery function, where seeds are selected, i.e., which asset types are included in the scan. For example, the discovery function initially includes the domains and public IP addresses used by the organization.
In addition to domains and IP addresses, seeds can include:
• Host names
• Email addresses
• ASN numbers
• Certificates
• Whois organization
Once the targets have been selected for the discovery function and it is initiated, it takes a day or two before results start appearing in the portal.
Dashboards
For reviewing results, the EASM service offers various ready-made dashboard views, which Microsoft has added as the service has developed.
The Attack Surface Summary dashboard presents the key findings from the environment. It provides an overview of the organization’s attack surface and the asset types it includes, highlighting potential vulnerabilities by severity (high, medium, low). The dashboard also offers key information about the infrastructure that constitutes the organization’s attack surface.
The Security Posture dashboard helps organizations understand the maturity of their security based on metadata derived from asset types. It consists of technical and non-technical practices, processes, and controls. The dashboard provides information on CVE vulnerabilities, open communication ports, and SSL certificate configurations, among other things.
The GDPR Compliance dashboard highlights key compliance risks based on GDPR requirements. The dashboard provides visibility into the state of the organization’s websites, potential SSL certificate issues, exposed personal data (PII), login protocols in use, and cookie compliance.
The OWASP Top 10 dashboard highlights asset types that are vulnerable according to the OWASP list of the most critical web application security risks. On the dashboard, organizations can quickly identify asset types with inadequate access control, encryption errors, injections, incorrect security configurations, and other critical risks defined by OWASP.
The CWE Top 25 Software Weaknesses dashboard is based on the annual Top 25 Common Weakness Enumeration (CWE) list published by MITRE. CWEs represent the most common and impactful software weaknesses that are easily discoverable and exploitable.
The CISA Known Exploits dashboard shows all asset types potentially affected by vulnerabilities that have led to known exploits according to CISA definitions.
Example image of the Attack Surface Summary dashboard
Conclusion
Microsoft Defender EASM is easy to deploy and, based on our experiences, it has provided quite useful information about the target organization where we have been able to use it. However, it should be noted that it is not a comprehensive tool that would also handle, for example, penetration testing.
Today, security must be implemented holistically, and EASM as part of it is quite a good product. We recommend trying it; you will certainly gain useful information about the state of your organization’s external attack surface.
Above IT is a partner and resource for IT departments. As our customer, you will receive genuine expertise in the development of security and data protection, as well as support and security in the world’s upheavals! If you want to step above IT with us, contact us by clicking the calendar link below!