Introduction and history
Microsoft unveiled its Security Exposure Management on March 13, 2024. The solution was developed in response to increasing concerns about various types of exposures, such as software vulnerabilities, misconfigured controls, excessive access privileges, and emerging threats that could lead to the exposure of sensitive data.
The conventional method of vulnerability management was proving inadequate due to its narrow scope. In the past, organizations concentrated on protecting what they were aware of – they searched for Common Vulnerabilities and Exposures (CVEs) across their endpoints, servers, and infrastructure. Although this was a step in the right direction, it didn’t provide a comprehensive view of the digital estate, lacked context, and treated all resources as if they were of equal importance.
Given that an average organization uses around 80 different security tools, it was highly probable that numerous tools related to security posture were in use, each overseeing a limited area of the environment. The data and insights from these tools related to security posture were often isolated or, at best, loosely connected, making it challenging to make sense of threats and their potential impact on critical assets.
As a result, Microsoft spearheaded the next phase of attack surface management, enabling organizations to proactively enhance their posture and minimize their exposure more quickly than attackers could exploit them. This revolutionary solution brings together disparate data silos, providing security teams with complete visibility across all assets. By facilitating a comprehensive evaluation of security posture and exposure, this solution enables teams to not only understand their current security landscape but also to improve it significantly.
Can only say I love <3 Security Exposure Management
Use cases and features of Microsoft Security Exposure Management
- Comprehensive Security Posture View: It consolidates various data sources, offering security teams a complete visibility of their organization’s security posture. This allows them to comprehend and enhance their security posture and manage exposure across devices, identities, applications, data, and multicloud infrastructure.
- Ongoing Threat Exposure Management (CTEM): It enables organizations to establish a robust exposure management program with a continuous threat exposure management process.
- Risk Mitigation: It aids in reducing risk by providing a transparent view of every asset and real-time evaluation of potential exposures from both internal and external sources.
- Identification and Protection of Crucial Assets: It allows organizations to detect and categorize critical assets, ensuring they are safeguarded against a broad range of threats.
- Discovery of Adversary Intrusion Paths: It enables organizations to uncover and visualize potential adversary intrusion paths, including lateral movement, to proactively identify and halt attacker activity.
- Exposure Risk Communication: It assists in conveying exposure risk to business leaders and stakeholders with clear KPIs and actionable insights.
- Integration with External Data Sources and Tools: It improves exposure analysis and remediation by integrating with third-party data sources and tools.
- Management of Attack Surface: It offers a comprehensive view of the entire attack surface, enabling the exploration of assets and their relationships.
Integrations
Microsoft Security Exposure Management integrates data across various technologies to provide a comprehensive view of an organization’s security posture.
Here are some of the technologies Security Exposure Management integrates with:
- Vulnerability Management (VRM): Microsoft Defender Vulnerability Management (MDVM), Qualys Vulnerability Management (Preview), Rapid7 Vulnerability Management (Preview).
- External Attack Surface Management (EASM): Microsoft Defender External Attack Surface Management
- Cloud Security (CSPM): Microsoft Defender Cloud Security Posture Management (CSPM)
- Endpoint Security (Device Security Posture): Microsoft Defender for Endpoint (MDE)
- Identity Security (ISPM): Microsoft Defender for Identity (MDI), Microsoft Entra ID (Free, P1, P2).
- SaaS Security Posture (SSPM): Microsoft Defender for Cloud Apps (MDA) including connectors to SaaS applications
- Email Security: Microsoft Defender for Office (MDO)
- OT/IOT Security: Microsoft Defender for IOT
These integrations help in enriching the security context, managing attack surfaces, protecting critical assets, and exploring and mitigating exposure risk.
Permissions for Security Exposure Management tasks
For full access, users need one of the following Microsoft Entra ID roles to manage Security Exposure Management:
- Global Admin (read and write permissions)
- Global Reader (read permissions)
- Security Admin (read and write permissions)
- Security Operator (read and limited write permissions)
- Security Reader (read permissions)
Permission levels are summarized in the table:
| Action | Global Admin | Global Reader | Security Admin | Security Operator | Security Reader |
|---|---|---|---|---|---|
| Grant permissions to others | ✔ | – | – | – | – |
| Onboard your organization to the Microsoft Defender External Attack Surface Management (EASM) initiative | ✔ | ✔ | ✔ | ✔ | ✔ |
| Mark initiative as a favorite | ✔ | ✔ | ✔ | ✔ | ✔ |
| Set initiative target score | ✔ | – | – | – | – |
| View general initiatives | ✔ | ✔ | ✔ | ✔ | ✔ |
| Share metric/Recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
| Edit metric weight | ✔ | – | – | – | – |
| Export metric (PDF) | ✔ | ✔ | ✔ | ✔ | ✔ |
| View metrics | ✔ | ✔ | ✔ | ✔ | ✔ |
| Export assets (metric/recommendation) | ✔ | ✔ | ✔ | ✔ | ✔ |
| Manage recommendations | ✔ | – | ✔ | – | – |
| View recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
| Export events | ✔ | ✔ | ✔ | ✔ | ✔ |
| Change criticality level | ✔ | ✔ | ✔ | ✔ | ✔ |
Start with the overview
The Security Exposure Management > Overview dashboard allows you to assess the comprehensive status of your organization’s security exposure.
Consider the dashboard as an initial reference for a quick overview of your organization’s security stance and exposure, and delve into specifics as required.
Mapping and identifying critical assets
The next step you should focus on is pinpointing critical assets. With Microsoft Security Exposure Management, you have the ability to designate and oversee resources as critical assets.
- Identifying critical assets helps ensure that the most important assets in your organization are protected against risk of data breaches and operational disruptions.
- Critical asset identification contributes to availability and business continuity.
- You can prioritize security investigations, posture recommendations, and remediation steps to focus on critical assets first.
Microsoft Defender XDR has a option to review all the assets that have been discovered automatically, go to: Microsoft Defender portal, select Settings > Microsoft XDR > Rules > Critical asset management.
On the Critical asset management page, review predefined and custom critical asset classifications, including the number of assets in the classification, whether assets are on or off, and criticality levels.
Using the Attack Paths
Microsoft Security Exposure Management’s attack paths assist you in actively pinpointing and illustrating potential avenues that attackers could leverage by exploiting vulnerabilities, gaps, and misconfigurations. The simulation of attack paths empowers you to proactively explore and mitigate potential risks.
To access attack paths, select Attack surface > Attack path.
Open one of the entry points, to get an overview (graph) map of a possible attack path:
After clicking view in map you see all the related users/machines/groups/other infrastructure, also with their connections/authentications (paths) involved:
Manage Exposure Insights
Exposure insights offer a detailed perspective on the status of your asset inventory’s security posture.
Chief Information Security Officers (CISOs), decision-makers, risk owners, and security teams can leverage these security insights and context to manage exposure risk throughout the organization and prioritize security endeavors and investments.
Exposure insights encompass security events, recommendations, metrics, and initiatives. These elements interconnect to provide a detailed context around the state of security posture.
The insights empower you to:
- Decompose the organizational security posture into prioritized initiatives.
- Gauge and monitor the exposure of crucial security elements within these initiatives.
- Prioritize security focus areas based on initiatives and metrics.
- Implement actionable remediation steps to enhance security posture and minimize risk.
- Monitor enhancements in security initiatives to track the reduction of security risk.
Review security initiatives
Security initiatives streamline the management of security posture and assist in evaluating readiness and maturity in distinct areas of security risk.
Predefined initiatives are provided by Security Exposure Management. Each of these predefined initiatives encompasses one or more security metrics pertinent to that initiative.
Initiatives can be associated with specific workload domains, assessing a particular area such as endpoint, identity, and cloud security. They might aid in threat analysis by addressing a specific threat across various categories, such as ransomware protection or critical asset protection. Initiatives can also concentrate on specific compliance standards.
You have the option to prioritize which initiatives to display on the Overview dashboard. The score of the initiative mirrors the exposure status of the initiative. You can delve into initiatives to view their related metrics and identify where gaps or risks lie. The score and recommendations of the initiative are derived from the metrics within the initiative.
From the Exposure management section on the navigation bar, select Exposure insights -> Initiatives to open the initiatives page.
Review security metrics
Metrics group together recommendations for similar assets, and measure security exposure around those assets, from very high exposure to no exposure identified.
For example:
- Percent of macOS endpoints missing an endpoint security solution agent
- Percent of cloud resources with critical vulnerabilities
Each metric shows:
- The percentage of assets affected, the relative importance of the metric, and the effect that the metric has on an initiative.
- It also shows the weight, or importance, of the metric and its effect on the initiative score as a number. One is the lowest and 10 the highest.
- Metric weight can be customized to have greater or lesser effect, based on your organizational business priorities.
- Editing metric weight value affects the metric and all related initiatives.
In the Microsoft Defender portal, select Exposure management > Exposure insights > Metrics to open the Metrics page.
Security Recommendations
Assets and workloads are assessed against security measurements and standards, and security recommendations are issued based on those assessments.
Recommendations provide practical steps to help you improve and remediate security posture and detected issues.
In Security Exposure Management, the recommendations catalog serves as a centralized repository for security recommendations.
In the Microsoft Defender portal, select Exposure management > Exposure insights > Recommendations to open the Recommendations page.
From here you can open each recommendation, to see the remediation steps, the exposed entities and all the related metrics/initiatives as guidance to strengthen your posture.
Security events
Security events consolidate information about posture management changes that are detected. In response to changes, you can adjust accordingly to maintain a robust security posture.
Events measure the score drop or worsening in the metric status.
- Metric score drop events notify customers when there’s a new exposure measured by the security metrics. They’re evaluated based on the effect on the score and its weight. If there’s a decrease of at least 2% since yesterday, meaning exposure grew by 2%, the change is considered a score drop event.
- Initiative score drop events notify customers when security initiatives decrease. We assess Initiative score drop events based on how it affects the score. If there’s a decrease of at least 2% since yesterday, the change is classified as a score drop event. Security events present and track, both initiative and metric score drop incidents to determine how they affect the organization’s security posture.
- In the Microsoft Defender portal, select Exposure management -> Exposure insights -> Events to open the Events page.
- Select the time range you need in the calendar drop-down.
- To filter by initiative score drop events or metric score drop events, select filter or the score drop event quantity.
- Select a specific event to open it in Initiatives or Metrics.
Last but not least…. Secure Score
As you might have noticed the Secure Score section for Microsoft 365 has been relocated from the Home section to Exposure Management. Security Exposure Management uses Secure score as one of its sources for initiative scores.
- Secure score has “recommended actions” for a number of products.
- Selecting a recommendation to review allows you to remediate the problem in the specific product, including recommendations that derived from secure score.
- For recommendations where secure score is relevant, if secure score isn’t active, that recommendation doesn’t display.
Great it has been placed there, as it is a more logical place within Security Exposure Management 🙂
