Microsoft Security Exposure Management, Why You Should Care
At the recent Microsoft Secure event a new tool was released in public preview into the company’s stable of security tools, called Exposure Management.
I’ve enjoyed access to the private preview for some months — in this article I’ll outline what it does, why you should care and raise some still unanswered questions. I’ll also look at the overall landscape of Vulnerability Management, exposure tools and the uphill battle we’re all fighting to manage an ever-expanding attack surface in our organizations.
You Think You’ve Got a Long To Do List?
I manage the IT infrastructure and cyber security of a small handful of clients in my MSP, and the challenge of Vulnerability Management (VM, not to be confused with “Virtual Machine”) is salient for me. Here’s a single client, with about 125 endpoints and a list of 134 recommendations for me to attend to:
Note the number of exposed devices, remediating all of these would take me many, many hours, and the disheartening fact is that even if I did (and the client was happy to pay), this would only last for a very short time. New vulnerabilities in applications and platforms would appear, and the cycle would start over again. To be clear, there are automation tools that can do some of this, but they don’t come with SMB friendly pricing. There’s even an expression for this, “posture fatigue,” a riff on the well-known alert fatigue cause of burnout for SOC analysts.
There are many different studies that show x number of vulnerabilities aren’t patched with 30 days, for example, or the average time for patching ranging in months, not days. This is why — it’s an overwhelming problem, whether you’re a one-man band like me or a large team servicing an enterprise. And attackers are turning revealed flaws into weaponized attacks much faster than in the past, sometimes in hours, mostly within days, and we just don’t patch fast enough.
The limitations of traditional vulnerability management are also starting to show, as it often doesn’t consider business context. The vulnerability (CVE) with the highest CVSS score is listed first, perhaps ranked based on how many endpoints have the flaw. But this doesn’t include risks in custom code, data access misconfiguration, network vulnerabilities, resource misconfiguration and over-authorized identities, nor does it involve the business impact of different applications and data stores. And many larger businesses have several tools for tracking exposure and vulnerabilities for different parts of their infrastructure, all of which have different scoring and prioritization systems, all leading to overhead.
As you might have guessed, the buzzword factory known as Gartner has a term for the solution — called Continuous Threat Exposure Management (CTEM).
The root cause of this problem is crap subpar software. The fact that small and large software vendors can sell software and services with such low quality is an indictment of our entire industry and would be completely unacceptable in most other fields. “Oh, the brakes on your new car didn’t work — tough luck.” However, this is the reality we live in today, so as blue teams, what can we do to keep our heads above water? Read on to find out.
Microsoft’s Vulnerability Management Journey
It all started with Secure Score — I first wrote a four part series on it back in 2017, nearly seven years ago. This has since cropped up in other tools (there’s Identity Secure Score, and there’s one in Defender for Cloud in Azure and so on), all with the same idea: give you a list of recommended security configurations and hardening steps to improve your overall security posture, prioritized by overall impact, with points attached to each, to encourage admins to “catch them all.”
Some years later Microsoft started investing heavily in Defender Vulnerability Management (MDVM) which now covers OS flaws, application issues, hardware and firmware vulnerabilities, security baselines, digital certificate security and expiry, browser extensions (at least if you pay for the VM add-on, on top of the M365 E5 license you’ve already sold your grandmother for). MDVM also extends to container registries in Azure, AWS and GCP, as well as running container instances.
In 2021 the company acquired Risk IQ, which led to the product now known as Defender External Attack Surface Management (EASM), which I covered here. This looks at your organization from the outside only, just as an attacker would initially. Hosts, IP addresses and web sites on the public internet are discovered, WHOIS info gathered and OWASP Top 10 vulnerabilities listed for web sites.
Defender for Cloud followed up with Cloud Security Posture Management (CSPM) capabilities, now split into a foundational core that’s free, and the paid-for CSPM plan that adds advanced features such as agentless scanning, data aware security posture (“patch this VM first because it’s database contains PII”) and more.
Source code and “shift-left” is covered by GitHub Advanced Security (GHAS) and DevOps Security, part of the CSPM plan above.
As you can appreciate, there is information spread across these different tools for you to gain an understanding of your overall exposure and lists of recommendations to remediate the flaws. But there’s no single tool to bring them all together, which is what Exposure Management is aiming to do, just like eXtended Detection and Response (XDR) has done in Defender.
Meet Security Exposure Management
The public preview is now available with no sign-up process and it has shown up in the Defender XDR portal for other clients of mine that weren’t part of the private preview.
The simplest way to explain Exposure Management is that it gathers the data and recommendations from all the tools mentioned above and brings them to a single place. Anything related to cyber security that happens before an incident (called “left of boom“), is visible here. It brings in data from:
This isn’t limited to only Microsoft’s data sources. There’s been talk of bringing in information from Qualys, Wiz, Okta, Rapid7, Tenable and Service Now’s CMDB. In the current preview the Data connectors page doesn’t have any of these yet, but you can join early previews to test them out as they’re being developed.
