Using External Attack Surface Management
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering External Attack Surface Management (EASM) in Microsoft Defender for Cloud
Introduction: Why Your Outside View Matters
In the current landscape of cybersecurity, organizations often focus heavily on securing the "inside"—the internal network, identity management, and endpoint protection. However, attackers do not start from the inside. They start by scanning the internet for vulnerabilities, misconfigurations, and exposed assets that belong to your organization but that you might have forgotten or failed to secure. This is where External Attack Surface Management (EASM) becomes a critical component of your security strategy.
External Attack Surface Management is the process of identifying, monitoring, and analyzing all internet-facing assets that belong to your organization. Think of it as a continuous, automated reconnaissance mission that mirrors the perspective of a malicious actor. Instead of relying on static inventory lists—which are often outdated the moment they are created—EASM provides a real-time map of your digital footprint, including websites, IP addresses, domains, cloud storage buckets, and certificates.
Why does this matter? Because the "shadow IT" problem is pervasive. Departments often spin up cloud resources, marketing teams launch temporary websites, and developers deploy test environments without the central IT or security team's knowledge. Each of these assets represents a potential entry point for a data breach. By integrating EASM into Microsoft Defender for Cloud, you gain the ability to visualize your total exposure and remediate risks before they are exploited. This lesson will guide you through the conceptual framework, the technical implementation, and the best practices for maintaining a clean external profile.
The Core Concepts of EASM
Before diving into the configuration, it is essential to understand the lifecycle of an EASM program. EASM is not a one-time scan; it is a cycle of discovery, classification, and monitoring.
1. Discovery
Discovery is the process of finding assets associated with your organization. EASM tools use seed information—such as company names, domain names, and IP ranges—to crawl the internet and identify related assets. This process often uncovers "orphan" assets, such as legacy web servers or neglected staging environments that still hold sensitive data.
2. Classification
Once assets are discovered, they must be classified. Is this a production web server? Is it a test instance? Does it store PII (Personally Identifiable Information)? Classification allows you to prioritize which assets require immediate attention. A vulnerability on a public-facing e-commerce site is significantly more critical than a vulnerability on a static marketing landing page.
3. Monitoring and Analysis
The internet is dynamic. Servers are updated, configurations change, and new vulnerabilities are discovered daily. EASM provides continuous monitoring to detect when an asset's state changes. For example, if a developer accidentally changes a firewall rule on a cloud bucket, making it public, EASM should flag this change immediately.
Callout: EASM vs. Vulnerability Management It is common to confuse EASM with traditional vulnerability management. Vulnerability management usually focuses on known assets that are already under your management's purview. EASM, conversely, is designed to find the assets you don't know about. Think of vulnerability management as checking the locks on the doors you know you have, while EASM is about discovering doors you didn't even know were built into your house.
Setting Up External Attack Surface Management in Defender for Cloud
Microsoft Defender External Attack Surface Management (Defender EASM) is integrated directly into the Azure ecosystem. To begin using it, you need to configure your discovery resources.
Step-by-Step Configuration
Create an EASM Resource: Navigate to the Azure Portal and search for "Microsoft Defender EASM." Click "Create" to provision a new EASM resource. You will need to select an Azure subscription and a resource group.
Define Discovery Seeds: During the setup, the system will ask for "seeds." These are the starting points for the discovery engine. You should provide your primary domain names (e.g.,
contoso.com), associated IP ranges, and any known subsidiaries. The engine uses these to branch out and find related infrastructure.Configure Discovery Frequency: You can choose between different discovery profiles. For most organizations, a daily or weekly discovery cycle is sufficient. However, if your organization is highly dynamic, more frequent scans ensure that new assets are caught quickly.
Reviewing the Dashboard: Once the discovery process completes, the EASM dashboard will populate. You will see a breakdown of your assets categorized by type: domains, pages, hosts, and IP blocks.
Tip: Start with a Narrow Scope When setting up your initial discovery seeds, start with your most prominent domains. If you provide too many broad IP ranges, the discovery engine might return thousands of "noise" assets that are not actually relevant to your business, making it difficult to prioritize your work.
Understanding Asset Types and Their Risks
To manage your attack surface effectively, you must understand the different types of assets that EASM tracks and the risks associated with them.
Web Applications
Web applications are the most frequent targets for attackers. EASM helps you identify:
- Outdated Software: Servers running old versions of Apache, Nginx, or IIS that have known vulnerabilities.
- Misconfigured Headers: Lack of security headers (like Content Security Policy or Strict-Transport-Security) that make the site vulnerable to cross-site scripting (XSS) or man-in-the-middle attacks.
- SSL/TLS Issues: Expired certificates or the use of weak encryption protocols (e.g., TLS 1.0 or 1.1).
IP Addresses and Network Infrastructure
EASM maps your internet-facing IP addresses and identifies open ports. A common mistake is leaving management ports (like SSH or RDP) exposed to the entire internet. EASM will flag these as "Critical" risks.
Domains and Subdomains
Attackers often look for "subdomain takeovers." This happens when a company points a subdomain (like marketing.contoso.com) to a third-party service (like a cloud storage provider or a marketing platform) that has been decommissioned. If the attacker registers that service, they can effectively hijack your subdomain to host malicious content.
| Asset Type | Primary Risk | Mitigation Strategy |
|---|---|---|
| Web Server | Software Vulnerabilities | Patch management and WAF deployment |
| Cloud Storage | Public Exposure | Identity and Access Management (IAM) audits |
| Subdomains | Domain Takeover | Cleanup of DNS records for unused services |
| SSL Certificates | Expiration/Weak Keys | Automated certificate renewal and rotation |
Practical Implementation: Using Defender for Cloud Queries
Defender for Cloud allows you to use Kusto Query Language (KQL) to hunt through your EASM data. This is powerful because it allows you to create custom alerts and dashboards based on your specific security posture requirements.
Example 1: Finding Exposed Management Ports
If you want to identify all assets that have RDP (port 3389) or SSH (port 22) exposed to the internet, you can use a query like this:
// Query to find exposed management ports
DefenderEASMAssets
| where PortNumber in (22, 3389)
| where IsOpen == true
| project AssetName, PortNumber, LastSeen, RiskScore
| sort by RiskScore desc
Explanation:
DefenderEASMAssets: This is the primary table containing your inventory.where PortNumber in (22, 3389): This filters the results to show only SSH and RDP.where IsOpen == true: This ensures we are only looking at ports that are currently reachable from the internet.project: This selects only the relevant columns for your report.
Example 2: Monitoring for Expiring Certificates
Keeping track of SSL certificates is a manual nightmare. You can automate the detection of certificates nearing expiration:
// Find certificates expiring within 30 days
DefenderEASMCertificates
| where ExpirationDate < ago(-30d)
| project Subject, ExpirationDate, Issuer
| sort by ExpirationDate asc
Explanation:
DefenderEASMCertificates: This table tracks the cryptographic assets discovered by EASM.where ExpirationDate < ago(-30d): This uses a time calculation to find certificates where the expiration date is less than 30 days into the future.
Warning: False Positives Automated tools will occasionally flag an asset as "risky" when it is actually a legitimate business configuration. Always verify the findings before taking automated remediation actions, such as shutting down a server. Use the EASM dashboard to mark assets as "Known Good" if they are verified.
Best Practices for EASM Integration
Integrating EASM into your existing security operations center (SOC) workflow is essential for success. Here are the industry-standard practices:
1. Integrate with Sentinel
Defender for Cloud feeds directly into Microsoft Sentinel. You should configure automation rules in Sentinel so that when EASM detects a high-risk asset (like a publicly exposed database), it automatically creates an incident for your security analysts. This ensures that the findings are not just sitting in a dashboard but are being actively addressed.
2. Establish a Remediation Workflow
Identify who is responsible for each asset type. If EASM finds a vulnerability on a marketing website, the marketing IT team should be notified. If it finds a misconfigured cloud storage bucket, the infrastructure team should be the point of contact. Use tagging in Azure to assign ownership to resources so that when a risk is identified, you know exactly who to contact.
3. Conduct Regular Reviews
Even with automation, you should conduct a quarterly review of your attack surface. Use the EASM report to identify trends—are you seeing an increase in exposed services? Are there departments that consistently deploy insecure assets? Use this data to drive better security training and policy enforcement.
4. Prioritize by Business Value
Not every vulnerability is equal. A critical vulnerability on a system that contains no sensitive data and has no connection to your internal network is a lower priority than a medium-severity vulnerability on your primary authentication server. Use the "Risk Score" provided by Defender EASM to weigh your response efforts.
Common Pitfalls and How to Avoid Them
Pitfall 1: "The Set and Forget" Mentality
Many organizations set up EASM and never look at it again. This is dangerous because the internet changes daily.
- Solution: Create a recurring task in your calendar to review the EASM dashboard every Monday morning. Treat it as a critical security check, similar to reviewing your SIEM alerts.
Pitfall 2: Ignoring the "Noise"
Large organizations will have thousands of assets, many of which are benign. Trying to "fix" everything at once leads to alert fatigue.
- Solution: Focus on the "low-hanging fruit" first. Start by remediating high-risk vulnerabilities on critical assets. Once those are handled, move to the next tier of risk.
Pitfall 3: Failing to Coordinate with DevOps
Developers often deploy infrastructure using Infrastructure-as-Code (IaC) templates. If these templates are flawed, they will create insecure assets repeatedly.
- Solution: Integrate your EASM findings into your DevSecOps pipeline. If EASM detects a pattern of insecure configurations, share that data with your developers so they can update their IaC templates.
Callout: The Power of Context Context is king in security. An exposed port on a server in your staging environment is a risk, but it is an expected risk. An exposed port on your production database is an incident. Always evaluate EASM data against your known environment architecture to understand the true impact.
Advanced Strategies: Proactive Defense
Once you have mastered the basics of discovery and remediation, you can move toward more advanced, proactive defense strategies.
Asset Inventory Enrichment
You can enrich your EASM data by importing your CMDB (Configuration Management Database) or asset management software data. By cross-referencing your "known" assets with the "discovered" assets from EASM, you can easily identify "Shadow IT." Any asset found by EASM that does not exist in your CMDB is, by definition, an unauthorized or undocumented asset that requires investigation.
Threat Intelligence Correlation
Defender EASM integrates with Microsoft's global threat intelligence. This means that if a particular IP range or domain is identified as being part of a known botnet or command-and-control (C2) infrastructure, Defender for Cloud will alert you. This allows you to block malicious traffic before it ever hits your internal perimeter.
Custom Alerting Rules
In addition to the standard alerts, you should create custom alerts for specific business risks. For example, if your organization has a policy that no assets should be hosted in certain geographic regions due to compliance requirements, you can create a KQL query to alert you whenever EASM discovers an asset in those restricted locations.
// Alert if an asset is discovered in a restricted region
DefenderEASMAssets
| where GeoLocation == "Restricted_Region_Name"
| project AssetName, GeoLocation, DiscoveryDate
Integrating EASM into the Wider Defender for Cloud Ecosystem
Defender for Cloud is a platform, and EASM is one of its most potent sensors. To get the most out of it, you must view it as part of a continuous feedback loop:
- Input: EASM discovers an exposed web server.
- Analysis: Defender for Cloud evaluates the configuration and finds that the server is missing a security update.
- Action: Defender for Cloud triggers an automated workflow to notify the server owner and suggest a patch.
- Verification: Once the patch is applied, EASM scans the server again, confirms the vulnerability is gone, and closes the alert.
This loop minimizes the time between discovery and remediation, which is the ultimate goal of any security program.
Summary: Key Takeaways
- EASM is Continuous: It is not a project with a start and end date; it is a permanent security discipline. You must maintain a constant watch over your digital footprint.
- Visibility is the First Step: You cannot secure what you do not know exists. EASM is your primary tool for eliminating the "Shadow IT" that often serves as the entry point for attackers.
- Prioritize by Risk: Not all assets are created equal. Focus your efforts on the assets that hold the highest business value or contain the most sensitive data.
- Automate the Workflow: Use integrations with tools like Microsoft Sentinel to ensure that the findings from EASM move quickly into the hands of the people who can fix them.
- Collaborate Across Teams: EASM findings are not just for the security team. They are vital for developers, IT operations, and even compliance officers. Share the data to foster a culture of security.
- Verify Before Acting: While automation is powerful, human context is necessary to distinguish between a legitimate business configuration and a genuine threat.
- Use Data to Drive Change: Use the trends you observe in EASM to influence your internal security policies and training programs, preventing risks from being created in the first place.
By following these practices and leveraging the power of Microsoft Defender for Cloud and EASM, you can move from a reactive security posture to a proactive one, significantly reducing the likelihood of a successful external attack.
Frequently Asked Questions (FAQ)
Q: Does EASM perform intrusive penetration testing? A: No. EASM is designed to be a non-intrusive discovery and analysis tool. It observes and analyzes assets from the outside without attempting to exploit vulnerabilities or disrupt service.
Q: How long does it take for EASM to show results? A: Initial discovery can take anywhere from a few hours to a few days, depending on the complexity and scope of your organization's digital footprint. Once the initial discovery is complete, subsequent updates are much faster.
Q: Can I use EASM to monitor my competitors? A: While EASM is technically capable of scanning any public domain, it is licensed and designed for monitoring your own organizational assets. Using it to scan third-party organizations without authorization may violate terms of service or legal regulations.
Q: How does EASM handle dynamic IP addresses? A: EASM tracks assets based on various identifiers, including hostnames and domains, which are often more stable than IP addresses. It uses advanced algorithms to map these identifiers to the underlying infrastructure, even when IP addresses change.
Q: What is the difference between EASM and CSPM (Cloud Security Posture Management)? A: CSPM focuses on the configuration of your cloud resources from the inside (e.g., checking if an Azure Storage account is configured correctly via the API). EASM focuses on the assets from the outside (e.g., checking if that same storage account is reachable via the public internet). Both are essential for a complete security program.
Final Note on Best Practices
Always remember that technology is only as good as the process surrounding it. EASM will provide you with a wealth of information, but the value is realized only when that information is acted upon. Assign clear ownership for remediation, maintain a culture of transparency, and ensure that your security operations team is properly trained to interpret and respond to the insights provided by your external attack surface discovery.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons