Defender EASM Glossary

You’ve probably heard about EASM, External Scan Management, Exposure Management, External Attack Surface, and many other interpretations. But the questions are, is this a tool? A capability? Or just the latest buzzword that nobody understands? The answer is yes for all.

Security vendors have done a quick job of making this new category as clear as mud, making it that much harder for you as a security guy, if it is a SOC Manager, Cloud Security Engineer, IT Admin, Incident responder, etc., to understand what it is you are getting yourselves into. One of the easiest ways to clear up the mess is to have definite terminology and definitions so that everyone speaks the same language.

This glossary below is familiar, but I share the ones based on the Defender EASM glossary and only general ones.

External Attack Surface – The external assets relevant to an organization’s cybersecurity posture. The External Attack Surface includes known and unknown assets and has become the number one entry point for security incidents and breaches.

Attack Surface Management – The continuous discovery and inventory of an organization’s known and unknown infrastructure. This is an ongoing process involving both internal and external visibility of assets. Attack surface management presents a new approach for security programs to understand and share context across teams to become proactive in building secure solutions and protecting the business.

External Attack Surface Management – A tool or process continually discovers, inventories, and monitors the exposure of known and unknown external assets. The external attack surface management is part of a more extensive attack surface management process or program and should prioritize the outside-in visibility of external assets – these will be the most accessible to attackers.

Attack Surface – The assets relevant to an organization’s cybersecurity posture to which an attacker can attempt to gain access or compromise. An attack surface includes all assets, whether known or protected by an IT and security team. Both internal and external assets will make up the attack surface and live on-premise, in the cloud, with shared hosting providers and other 3rd party dependencies.

Security Posture – helps measure the security program’s maturity based on the status of assets in your Confirmed Inventory. It comprises technical and non-technical policies, processes, and controls that mitigate the risk of external threats. 

Discovery – scans the Internet for assets owned by your organization to uncover previously unknown and unmonitored properties. Discovered assets are indexed in a customer’s inventory, providing a dynamic system of record of web applications, third-party dependencies, and web infrastructure under the organization’s management through a single pane of glass.

Discovery Group – They are independent seed clusters that comprise a single discovery run and operate on their recurrence schedules. You can select to organize their Discovery Groups to delineate assets in whatever way best benefits their company and workflows. Standard options include organizing by a responsible team/business unit, brands, or subsidiaries.

Asset Discovery – Identifying Internet assets that are part of an attack surface. Asset discovery is a foundational capability of attack surface management and should be conducted as frequently as possible. Connections between the assets and the attack surface should be automated, prioritizing only high-confidence findings to reduce false positives and also referred to as Asset Attribution.

Command and Control (C2) – control the servers on which they appear over the Internet. Like any software, they have uniquely identifiable default settings and configurations. This can provide security professionals with tools to test their defenses, but they can also be leveraged for malicious actions.

Exposure – All potential ingress points on a given asset can be seen from an outside-in perspective (is Internet-facing). Exposures do not determine the overall risk to an organization but present opportunities that attackers can exploit and should be monitored or addressed.

External Asset – An Internet-facing entity that an organization controls to conduct business on the Internet, including IP addresses, netblocks (CIDRs), autonomous systems (ASNs), certificates, domains and subdomains, websites, and storage objects. A collection of External Assets represents an organization’s external attack surface.

Rescan On-Demand – Triggering a scan of any host within an attack surface to rescan all known services, refreshing host data with its most current configuration from an outside-in perspective. This is often used as a “trust but verify” mechanism as the final step of any exposure remediation efforts.

Risk – The potential for exposure to negatively impact an organization if exploited or acted upon by an attacker. The overall severity of a risk is determined by a combination of the exposure itself and the underlying data, business context, or importance to an IT ecosystem. Risk severity may be different on a case-by-case basis.

Shadow Cloud – Cloud-hosted, Internet-facing assets live outside any environment protected by an organization’s security program. Shadow Cloud results from managed and unmanaged cloud adoption within an organization. It most commonly occurs as parts of the organization outside of IT create cloud services, often circumventing any formal IT process.
Attack Surface Management: The Problem with Cloud

Shadow IT – Internet-facing assets not cohesively maintained, managed, and protected by an organization. Familiar sources of Shadow IT are legacy infrastructure, newly inherited assets through a merger or acquisition, non-IT-managed assets created by other parts of the organization, and cloud services. Shadow IT presents easy-to-exploit attack vectors because these assets are outside the scope of security tooling and thus have minimal protection.

More about Microsoft Defender EASM

Defender EASM Overview