Finding, tracking, and managing all the assets found within an organization’s vast – and often unknown – digital attack surface can be a daunting task. A lack of knowing and monitoring all your assets, including shadow IT, leads to security gaps that can be exploited by attackers.
Understanding and documenting your entire attack surface with relevant asset tracking is critical to securing your environment. This highlights the importance of adding an external attack surface management (EASM) tool to your security stack.
EASM solutions are designed to provide a view of your digital attack surface from the outside in, enabling organizations to see exactly what attackers browsing the internet see when they come across an asset owned by your organization. Microsoft Defender EASM discovers and maps both known and unknown assets from an external perspective just as an attacker would see as they look to find a way to compromise an organization.
Enhanced Defender EASM functionality in Microsoft Copilot for Security
In November 2023, we announced new Defender EASM capabilities in Microsoft Copilot for Security that help security teams understand their attack surface, the pervasive CVEs within it, and get assistance remediation prioritization with the help of generative AI. The attack surface snapshot that Copilot users receive when using the prompts are, by default, generated from a library of pre-built attack surfaces that Microsoft has discovered for thousands of organizations. From our daily scans of the internet, Defender EASM discovers and searches for an organization’s attack surface based on publicly available information.
The results of prompts pulled from an organization’s pre-built attack surface are intended to give customers high-level visibility into their external assets and associated vulnerabilities. So far, they have been used by Early Access customers to achieve this visibility. One customer reported that they were able to identify unknown assets and remediate major vulnerabilities based on information gathered from EASM.
Now, we are thrilled to share enhanced functionality with these capabilities, which allows customers to directly connect their seeded and curated Defender EASM resource to Copilot for Security. With the curated Defender EASM integration, Copilot users can leverage generative AI to get comprehensive, up-to-date information about their external attack surface, analyzing assets that go above and beyond their pre-built attack surface.
Setting up is simple. In the configuration menu of Copilot for Security, turn on the Defender External Attack Surface Management skills on and then click on the Settings icon to enter your resource information. Once this information is entered, your future prompts in Copilot will utilize information from your configured EASM resource.
All of the existing Defender EASM prompts can be used when searching for information for a curated resource.
Sample prompts to get a summary of your externally facing assets include:
- What are the externally facing assets for [my resource]?
- What is [my resource’s] attack surface?
- What is my attack surface?
Sample prompts to get attack surface insights include:
- Do I have vulnerabilities in my external attack surface for [my resource]?
- What risk is in my external attack surface?
- What insights are there in my external attack surface?
Sample prompts to learn about CVEs of impact include:
- Does this [CVE ID] impact me?
- Should I be worried about this [CVE ID]?
- How many assets have critical CVSS’s for [my resource]?
Sample prompts to help you understand how you can prioritize remediation efforts include:
- Which SSL certificates from [my resource] do I need to take action on?
- Which expired SSL certificates are recent?
- What are my expired domains?
- Am I using SHA1 in my attack surface?
Learn more about Copilot for Security
To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. If you missed us at Microsoft Secure, you may watch the keynote video and extended Copilot demo session.
New External Attack Surface Protection Initiative in Microsoft Security Exposure Management
Today, we are excited to announce Defender EASM’s latest integration into Microsoft Security Exposure Management, our newest platform that delivers a clear and unified end-to-end view of an organization’s exposure by combining multiple Microsoft Security products and workloads in a single pane of glass, enabling continuous security posture visibility and improvement across the digital estate.
The integration, called the External Attack Surface Protection Initiative, allows CISOs and security team members to see different exposure metrics pertaining to their external attack surface, encouraging proactive posture management.
Defender EASM data surfaces the following information in Exposure Management:
Percent of assets in the attack surface with High, Medium, and Low Severity Insights
Large organizations’ attack surfaces can be incredibly broad, so prioritizing the key findings derived from Defender EASM’s data helps customers quickly and efficiently address the most important exposed elements of their attack surface. These Insights are primarily derived by detections created from internal researchers and can include critical CVEs, known associations to compromised infrastructure, use of deprecated technology, infrastructure best practice violations, or compliance issues.
Insight priorities are determined by Microsoft’s assessment of the potential impact of each insight – high, medium, and low severity – and the integration with Microsoft Security Exposure Management helps teams understand which insights to prioritize remediating first. In addition to getting visibility into these common areas of weakness, customers also receive remediation recommendations for each.
Percent of internet-facing assets with Critical and High CVE vulnerabilities
Common Vulnerabilities and Exposures (CVEs) is a list of publicly disclosed vulnerabilities relating to software weaknesses that could potentially catch the attention of an attacker. When Defender EASM completes the discovery of an organization’s assets, it then looks at what CVEs are associated with the assets. In Exposure Management, customers can see the percentage of assets in their attack surface that have Critical and High CVEs associated with, helping them visualize where they can take action.
Percent of expired SSL certificates
The security posture for configuration of an organization's SSL certificate portfolio determines both customer experience and risk of data compromise. In most modern browsers, websites with an expired SSL certification or outdated encryption will be blocked with a warning message to the user, impacting web traffic and brand trust. Users who proceed can have their communications with the website intercepted by a Man-in-the-Middle (MITM) attack. This can have several business impacts from business disruption, compliance issues, to exposure of adjacent critical systems derived by analyzing certificate values.
Percent of expired domains
Domains, previously owned by your organization which have expired, could be renewed and used by malicious actors to impersonate your brand to target your organization, employees, or customers. Organizations should review these domains to determine if they should be re-registered.
Percent of assets with remote access enabled
When remote access is enabled on open ports, it effectively allows attackers to gain unauthorized access to your network. This metric uncovers the percentage of assets in organizations’ external attack surfaces that have remote access enabled, so they can determine if it’s an asset that shouldn’t be accessible from anywhere.
Percent of assets utilizing SSH SHA1
Secure Shell Secure Hash Algorithm 1 (SSH SHA 1) is an older hash function that uses weak encryption. Defender EASM can detect assets that use this hash algorithm and alert customers to which assets are exposed to this risk in Exposure Management. Organizations should replace these certificates with new SSL certificates that use SHA-256.
Learn more about Microsoft Security Exposure Management
Achieving robust attack surface visibility and understanding posture are imperative in effectively managing threat exposure. Microsoft Security Exposure Management provides the essential tools and insights needed for proactive cybersecurity measures. It is not just a choice; it's a strategic move towards fortifying your organization's defenses in the face of evolving threats. Dive into a new era of cybersecurity resilience by getting started today.