A prerequisite to securing an organization on the internet is first knowing what digital assets in the organization are internet-facing. With the constantly changing internet, the migration to multi-cloud environments, the evolution of organizations with mergers and acquisitions, and the emergence of shadow IT, it is often difficult to maintain an updated external view of an organization’s attack surface, leading to security gaps emerging for attackers to exploit.
Microsoft Defender External Attack Surface Management (EASM) solves this challenge by discovering externally facing assets and identifying their risk. Their vulnerabilities can be identified, which helps with prioritizing them, so you know where to start with remediation efforts.
While Defender EASM equips organizations with an updated external attack surface view and the risks associated with it, these vast, multifaceted attack surfaces require many resources to analyze each asset and its associated metadata. This often increases the time to remediation and the likelihood of an attacker exploiting a security gap. However, generative AI can expedite this analysis process, enabling security professionals to defend organizations at machine speed.
At Microsoft Ignite in November 2023, we announced Defender EASM’s prompting capabilities in Copilot for Security. Today, we are thrilled to share that the same capabilities – and more – are available in public preview the Copilot chat pane in the Azure portal and can be used alongside Copilot for Security customers’ Defender EASM resources. This allows organizations to stay secure, with ease.
Dig into your external attack surface
The Copilot chat pane in Azure gives customers AI-driven insights on risky assets within their external attack surface. Instead of manually drilling down to investigate asset details, simply ask Copilot about recently expired SSL certificates and domains, and you’ll get automated answers for each in seconds. To understand which assets may have Common Vulnerabilities and Exposures (CVE), you can quickly find out by asking Copilot “which assets have critical severity CVEs?” or “Does this ‘CVE ID’ impact me?” Knowing where CVEs lie, and how they are classified, will help you in focusing resources and remediation efforts on those that matter most.
Our Copilot capabilities also enable customers to quickly identify assets impacted by specific risks and vulnerabilities, such as assets that have Common Vulnerability Scoring System (CVSS) scores, that are still using SHA-1 certificates, or are expiring soon – empowering them to determine what assets must be remediated first.
For example, we can investigate which assets are impacted by medium priority CVSS Scores and what vulnerabilities must be remediated to secure the targeted assets. In this scenario in the image below, we can see that because of the jQuery version, https://portal.fabrikam.com/ is at risk.
Perform advanced queries using natural language
An advanced feature in Defender EASM is the ability to search inventory to help solve a wide variety of specific business objectives and answer targeted questions, like "What assets were registered by name@example.com?” or “What assets are using an Azure service and have vulnerabilities?” . This querying capability enables organizations to quickly find assets for remediation based on their business objectives and prompt questions. With 65 unique filter fields and 20 filter operators, these queries can become extremely sophisticated to best address the organizations’ needs.
To fully utilize Defender EASM’s robust querying capabilities, a certain level of familiarity with the Defender EASM querying tool is required. However, by using Defender EASM capabilities in Copilot, queries can be done faster and easier than ever before. Now, any natural language inquiries, such as "which pages seen in the last 30 days are using jQuery?" and "find all the page, host, and ASN assets in my inventory with X or Y IP address," can be automatically converted into the corresponding inventory queries across all data discovered by Defender EASM. This allows security analysts to leverage Defender EASM's extensive querying capabilities to extract asset metadata and key asset information – without requiring an advanced query skillset.
To illustrate how this works using Copilot, let’s say that an organization has been informed about the risk associated with jQuery version 3.1.0. From here, a security analyst will want to understand what other assets in their environment are using that same version of jQuery. The analyst can then enter a prompt in natural language, which will create a query in Defender EASM to show the assets running jQuery 3.1.0.
Use Defender EASM's Copilot prompts today
Defender EASM’s Copilot prompting capabilities in the Azure portal are currently in public preview and available to Copilot for Security customers. To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. To create a new Defender EASM resource and start using the prompts in the Azure chat pane, to go https://www.portal.azure.com and search for “Defender EASM”.
Microsoft