Skip to main content
  1. Posts/

Enterprise Attack Surface Management (EASM) - Summary

·808 words·4 mins· loading · loading · ·
English EASM Security Azure Beginner
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents
EASM - This article is part of a series.
Part 3: This Article

Microsoft provides an Enterprise Attack Surface Management (EASM) tool. In this blog series I want to disover the tool and the possibilities. This is part 3 of this series and covers my conclusions.

Introduction

In part 1 of this blog series we saw how to activate the Microsoft Enterprise Attack Surface Management (EASM) tool and part 2 showed how to tune the environment according to your needs. Now it is time for my conclusion regarding EASM.

Pro

I want to start with the Pro’s of this product. Here is my list (no specific order):

  • Asset Discovery: In my opinion the asset discovery is the huge benefit of this product. You specify just the things you know and based on that the system collects additional information and assets which could belong to your environment. This helps you to understand your complete perimeter and is also able to detect dependent systems which you didn’t had on your list.
  • 30 days Trial: To get a feeling how well the tool is suited for your needs you can try it for 30 days for free. This time is enough to get an insight into your perimeter and is enough time to decide if you want to proceed with this tool.
  • Pricing: for me the price of $0.011/day per domain, host or IP address is reasonable.

Cons

Here are my cons (no specific order):

  • Tuning: You have to invest effort into tuning of the platform. It is normal after the initial scan - but also later on you have to make sure that newly discovered assets are relevant for your environment.
  • Data Quality: Data quality can be improved - especially in the area of SSL certificates. I’m using Let’s Encrypt certificates. There it is total normal that those certificates get renewed latest every 3 months. Microsoft EASM solution complains about those certificates because they are expired - but does not detect that there is already a renewed one. Really annoying! Furthermore if EASM thinks that it found an asset belonging to your environment it does not explain why it thinks it belongs to you. From this point of view it is difficult to decide if it is relevant or not.

EASM Expired Certificate
EASM Expired Certificate - this is an expired Let’s Encrypt certificate and there is a new enrolled certificate in place (checked manually). Unfortunatly EASM does not detect this circumstance.

  • No Workflow Support: So if you check the findings EASM presents you, you have no possibility to address the issue, eg. by accepting the risk or to classify it as not relevant (beside the asset state covered in part 2).
  • Vulnerability Scan: Sure, it is not a vulnerability scanner. This is important to understand. Primarly it is meant for getting insights into your perimeter and dependent systems. The discovered assets could be an input for your vulnerability scanner.
  • Missing Integration: Currently EASM is a standalone solution; there is no integration into your Defender XDR. This means that your security analysts have to use a dedicated console to get insights into EASM. Of course you have to deal with the dedicated permission management (Defender Security Roles vs. Azure Roles).
  • No Notifications: With EASM itself it is not possible to get notified if a new asset is found. When EASM is connected to Log Analytics or Azure Data Explorer you can setup notifications of course.
  • Slow: While browsing through the EASM site you have to wait often for data - cloud is not always as fast as you expect…
  • Billable assets: Does not correspond to the documentation nor the assets you have in the inventory so it is not clear what you get billed for; in the Billable assets dashboard (first screenshot below) it lists Host: IP Pairs, Domains and IP Addresses - the later two are documented; but term Host: IP Pairs is new and does not correspond to the documentation where it states that host will be charged - probably it is the same?!? (see second screenshot below)

EASM Billable Assets
EASM Billable Assets - only 2 seem to be billable according latest report data.

EASM Approved Assets
EASM Approved Assets - this is the query from part 2 which reports 4 billable assets.

My Conclusion

It is interesting what this EASM tool discovers regarding your external attack surface. But it is far from perfect. It lacks many of expected features (eg. Notifications, Workflow support, Integration into the Defender Eco system).

On the other hand, it can reveal connections that you may not have thought of before. At the end you have to answer the question yourself: Is it worth to pay $0.011/day per asset to know which potential connected asset belongs to you?

I will continue to use EASM - just to see how it develops over time and if I could get additional insights beside of that I already knew about my environment. Stay tuned for an update.

EASM - This article is part of a series.
Part 3: This Article