Defender EASM 101
If you’re an infosec guy, you probably heard the quotes, “You Need to Know your Assets to Monitor and Defend them” or “You Can’t Protect What You Don’t Know.” Those quotes and related ones were born from the field and the fact that we all have security gaps with the visibility of unknown assets in our environment – particularly in the external environments.
While most organizations put a lot of effort into internal and external security, whether it’s endpoint security, cloud security, or external attack surface, it’s pretty hard to achieve all those security gaps with the day-to-day projects, tasks, and security incidents.
This blog post is part of the Microsoft Defender EASM Series and focuses on “EASM 101” with the approach to external attack security.
When I speak and write about the Microsoft Defender EASM or Defender Threat Intelligence, at least at the beginning, it takes me back to the days of Microsoft acquired RiskIQ and months after that brings, the new Microsoft approach and the targets with External Attack Surface Management and Threat Intelligence. While I used RiskIQ in the past, I knew deeply that Microsoft would take it a few steps ahead, and the Private Preview of Defender EASM and Defender Threat Intelligence gave the whole vision and the detailed picture.
Now we’ve two great platforms: Microsoft Defender EASM and Defender Threat Intelligence. Both are part of the Microsoft Defender family and provide additional great pieces to the KillChain puzzle.
When it comes to visibility and ShadowIT, I know that many people talk about knowing what you’ve got and protecting them with external attack surface management tools. But, if it were that simple, the attackers wouldn’t have so many successes, would they?
What is EASM
So, what is EASM? An External Attack Surface Management (EASM), also known as Digital Attack Surface Management, is the sum of an organization’s internet-facing assets and the associated attack vectors which can be exploited during attacks. This includes domain names, SSL certificates, Hosts, protocols, and network services. These assets are spread across on-premise, cloud environments, and third-party vendors. Those external assets represent the easiest way of accessing internal networks and sensitive data.
In the past, organizations have got an ever-growing list of public assets to facilitate communication between their internal network and the internet. For example, some of these assets are IP addresses that are officially registered, but the majority of them are unregistered and ephemeral. Today, an organization’s external attack surfaces management spans beyond an organization’s known network ranges and often includes assets managed by third-party vendors.
External Attack Surface Management is a great way to maintain entities on every internet-facing asset within a business to identify security gaps and weaknesses that could lead to a breach. This method of breach prevention is included a few components:
Fingerprinting – You need to understand your assets to identify any open entrances that would be attractive to an adversary. This applies to fingerprinting the technology, contents, and connections to third parties. It also involves detecting vulnerabilities on the assets layer. By categorizing the information, you can quickly see the big picture of where your organization’s assets, and their weaknesses, lie in the cloud and other platforms.
Discovery – You must search and catalog every asset associated with your business. The discovery process and chain must be continuous because new assets may appear and come at any time, whether through a new system installed by an IT, a developer adding new applications, or a merger obtained in a newly acquired environment.
A quick look at the Discovery method in Defender EASM.
Security Monitoring -Business applications and digital computing are constantly changing, as Today’s computing is very dynamic. In these situations, new vulnerabilities can be found anytime. Continuous monitoring for these changes allows security teams to correct any security issues before a data breach occurs.
Why is EASM important?
We all know digital computing and innovation are necessary for every company, but it doesn’t come without security issues. Most organizations are shifting apps to the cloud while using the legacy with an on-premises environment and history gaps. Multi-Cloud brings together better technology, more flexibility, and self-service provisioning.
One commonly missed challenge is that when you have more internet assets, you also have more potential entryways and attack paths for adversaries to infiltrate. I refer to this collection of entryways as the attack surface. To keep track of the entryways and ensure they are closed to attackers, the practice of external attack surface management (EASM) was born.
External attack surface management isn’t just monitoring known asset inventory or finding Shadow and legacy IT. However, those things are important and benefit from being well-understood by most organizations. External Attack surface management covers aspects of both, but most importantly, it’s deployed within the context of actual risk.
External Attack Surface Management is vital because adversaries are always on the watch for the attack path of least resistance, hoping to find blindspots that businesses have missed. All it takes is one exploitable entry point to enter the corporate environment.
The best way to stay ahead and prevent that is to monitor your external assets. You must get into the attacker’s mind and watch the external assets exactly how an attacker would manage from the outside by monitoring your assets. You can mitigate the risks of things that leave your external assets vulnerable, like:
- Vulnerable Apps
- Expired SSL Certs
- Missing security headers
- Shadow infrastructure
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
If you’re not constantly monitoring for these security issues, an attacker may find and exploit them months before you’re aware. It takes 180-200 days to detect and contain a data breach.
The shift to the cloud and IT democratization created a new reality for every organization. Most organizations have significant blind spots and limited visibility into their Shadow IT and asset exposure on the internet. Trying to map the external attack surface with the visibility provided by traditional tools is hard to get. One of the critical phases in EASM is to map the challenges. Here is the top of them:
Visibility – We must know what we have in an external attack surface and the visibility an attacker has. Although the EASM platform is not intended to be an attack tool or intended for primary use by penetration testing, it provides excellent visibility that leads the Offensive team to know the face of the external network.
Streamline Operations – Automatic risk prioritization and built-in remediation advice will save time and help you focus on what matters most. The ability to easily share findings with internal teams will increase operational efficiency and align teams.
Siloed Groups – Multiple groups within the organizations are vending with external assets, whether SecOps, DevOps, or others. Often, these groups face difficulty delivering results quickly vs. needing to comply with security policies.
Ecosystems – DMZ is Dead. Today, your assets are everywhere. In addition to your core network, you have remote offices and subsidiaries. You work with third-party hosting providers and business partners, all of which are connected directly and indirectly to your network.
Dynamic Assets – Your External Attack Surface is constantly Changing. With around 80% of your Public IP addresses being ephemeral, keeping track of your internet-facing inventory using traditional methods is almost impossible.
As we know. Business moves fast, and many organizations that once had a handful of internet-facing assets are now located anywhere. The external attack surface is constantly changing and expanding rapidly. With such massive amounts of data in change, security teams must struggle with how to approach EASM to ensure nothing falls through the cracks.
The External Attack Surface approach can be changed from one organization to another. Still, the External Attack Surface principles will be part of every organization that wants to know what they have and how to close the security gaps.
Identify External Attack Surface – Before managing your external attack surface, you need to know what’s on it. So, the first step is to take inventory of every external asset associated with your business – it could be Domain, IP, hosts, etc.
You can achieve this goal by using a service that scans and creates a database of the entire internet and can pull out assets associated with a business using one email address. Or, start with a seed domain, usually the primary domain of your business environment, and use a crawler to identify associated assets.
Your results can be compiled in a centralized viewpoint to see the status of your entire attack surface in one location. This will allow you to monitor, prioritize, mitigate and protect your assets with fewer things falling through the cracks. Always remember that attackers don’t just target your most secure and best-monitored assets – They will target anything they can find.
A quick look at the Defender EASM Overview shows how it leverages Microsoft’s crawling technology to discover assets related to external infrastructure and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase your organization’s key areas of concern.
Continuous Monitoring – Once you have complete visibility of every asset on your attack surface, it’s time to apply the appropriate testing and monitoring services to each asset. These services need to do their jobs continuously because a new vulnerability can arise at any moment, and so can an attack. If you only have data from point-in-time testing, like penetration testing, to work with, that information becomes outdated instantly, and your business is left vulnerable.
Identify issues and fix – Security teams have traditionally focused on fixing as many vulnerabilities as possible because the longer the list, the more impressive it seems to lead. But in reality, a high volume of remediated vulnerabilities doesn’t equate to success. If you’re fixing hundreds of low-risk vulnerabilities and neglect one high-risk vulnerability, you’ve left open the kind of entryway to your business that is the most attractive to an attacker. Focus on finding security issues with the most significant risk and fix those before the little things.
Offensive Approach – Manual penetration testing should be the last phase in securing your external attack surface. Automated solutions can’t find everything, but they can find massive data. By doing manual pen testing after you’ve finished automatic methods, you’ll make more efficient use of expensive human hours since fewer easy targets will be left to discover.
Building the Case for Defender EASM
The use case to build with Defender EASM can be based on Risk Mitigation, Reputation, Resource Savings, and, last, to help the Offensive team to discover the vulnerable resource automatically and save time.
Whether it’s a Risk scenario or others, it would be best if you had a Security ROI – ROSI.
The SANS and ENISA created a complete guide for assessing security investments that personalize the math to reflect your unique environment and the average impact of the solution. This has become a popular method for demonstrating the risk reduction potential for your target investment.
The Return On Security Investment or ROSI calculation requires a business to estimate its Annualized Loss Expectancy (ALE), or the financial loss from a single security incident, multiplied by the number of times such an incident might occur, multiplied by the mitigation ratio, or the expected impact of risk-reduction activities, minus and then divided by the cost of the solution.
ALE x Mitigation Ratio – Cost of Solution
ROSI = _______________________________________
Cost of Solution
Gartner once estimated that one-third of successful attacks would be against unknown or unprioritized assets. If that has been, or could be, valid for you, then ALE might be a little higher. It might also be higher if your external attack surface suddenly expands due to digital transformation or other security incidents that often lead to an explosion of unknown and potentially vulnerable assets.
The facts on the ground overwhelm the fact that everyone has had a critical incident in the last two years. Therefore, you must know the price of the security incident. With that, we need to calculate the Defender EASM price. Based on your external assets, you can calculate the asset per day and based on your license.
A few words about Defender EASM before the next blog post.
The Microsoft Defender EASM is to protect the digital experience by discovering all internet-exposed resources of your environment. It defines your organization’s unique internet-exposed attack surface and proactively discovers unknown resources to manage your security posture. Three points of Defender EASM are:
Eradicate external security gaps – View your organization’s web applications, dependencies, and web infrastructure through a single pane of glass with a dynamic record system. Gain enhanced visibility to enable security, and IT teams to identify previously unknown resources, prioritize risk, and eliminate threats.
Extend security beyond the firewall – View your rapidly changing global attack surface in real-time with complete visibility into your organization’s internet-exposed resources. A simple, searchable inventory provides network teams, security defenders, and incident responders with verified insights into vulnerabilities, risks, and exposures from hardware to individual application components.
Understand your security posture – Gain a holistic view of your security posture to develop best practices and make informed decisions about security control investments and remediation with a dynamic inventory of external resources across the internet and multiple cloud environments.
The Microsoft Defender EASM and Defender TI is a game changer that brings massive features to security teams. Use it wisely!
The following blog posts will be focused on how to get started with Microsoft Defender EAM with many insights, tips, and experiences from the field in the last year with Defender EASM and before with RiqkIQ.