Microsoft Security Exposure Management is a new product/feature in the Defender XDR suite. This blog will explain more about it and the difference between Vulnerability Management/ Secure Score and XSPM since there is still a difference between the Microsoft Security Exposure Management product and Vulnerability Management in MDE/ Defender XDR and the global secure score. It is a new feature based on all datasets.
First of all, what is the difference, and why a new product?
Defender Vulnerability Management is mostly focussing on the endpoint recommendations and CVE-level of vulnerabilities. The downside of Vulnerability Management is that it is only focussing on the endpoint. A lot of context lives outside of the endpoint area (identity/ Data/ Public internet and many more) this will lead to more advanced attack paths and more needed insights.
Secure Score is an industry baseline and benchmark to measure organization security posture, where XSPM is a more unified view of the attack surfaces and reduces security risk exposures.
Microsoft Security Exposure Management (XSPM) is an evolution from vulnerability/ endpoint issues to the full exposure of the organizations, this enables more value and data for researchers/ defenders.
Microsoft; Microsoft Security Exposure Management empowers customers to:
- Build an effective exposure management program with a continuous threat exposure management (CTEM) process.
- Reduce risk with a clear view of every asset and real-time assessment of potential exposures both inside-out and outside-in.
- Identify and classify critical assets, ensuring they are protected against a wide variety of threats.
- Discover and visualize potential adversary intrusion paths, including lateral movement, to proactively identify and stop attacker activity.
- Communicate exposure risk to business leaders and stakeholders with clear KPIs and actionable insights.
- Enhance exposure analysis and remediation by integrating with third-party data sources and tools
How does Microsoft Security Exposure Management work?
Microsoft is not replacing the vulnerability management feature of secure score in MDE, it is a new product that relies on multiple sources. It reads and connects all the data collected from endpoint/ identity/ data and more. The power of vulnerability management is still used in the Exposure Management feature, see it as an input of data. Security Exposure Management is combining and connecting all the dots to get a full attack posture across all products. It connects the dots between all the technologies part of the Microsoft ecosystem.
Microsoft Security Exposure Management is designed to help businesses identify their most critical assets (crown jewels) and their exposure to potential cyber threats, including recommendations to mitigate and lower the cybersecurity risks of the specific asset.
On the first side, there are input sources (Microsoft toolings but also Wiz/ Crowdstrike, Okta, Duo, ServiceNow, and more third-party toolings). The goal is to enrich data with third-party data sources. All the sources are connected in the connected graph (which correlates data together and maps the dots between all the input sources), so there are relations and attack paths for all the insights. How more connectors are connected, and how more data is visible in the total view of the Expsure Management data:
Currently, Security Exposure Management consolidates security posture information and insights from workloads that include:
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Office
- Microsoft Defender for IoT
- Microsoft Secure Score
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
- Microsoft Entra ID
- Microsoft Defender External Attack Surface Management (EASM)
Third-party connectors are available. See the available connectors for third-party data sources in the portal. In the future, more connectors will be available including 3rd party vendors. Including ServiceNow and more CMDB providers to gain more CMDB information, including the CMDB data scoped on the crown assets. For most of the customers, the CMDB maintains all the information related to critical assets. Other examples are Rapid7 and other 3rd party threat vulnerability toolings.
At the time of writing, if you want to integrate non-MS solutions to XSPM, you can enable previews or join early previews via the portal. All available connectors are visible via Exposure management -> Connectors:
Pre-Requisites
Microsoft Security Exposure Management visibility is by default enabled out of the box as part of the Defender XDR portal, all it needs is data from the solutions. When you need for example the cloud data, it is needed to deploy Defender for Cloud across all the subscriptions, since Defender for Cloud is used to gain the data in the Microsoft Graph.
Detailed information about prerequisites is found here.
When using device groups in Defender it is important to check the device group structure. Microsoft shares the following about the access related to device groups;
For full Microsoft Security Exposure Management access, user roles need access to all Defender for Endpoint device groups. Users with restricted access to some of the organization’s device groups can:
- Access global exposure insights data.
- View affected assets under metrics, recommendations, events, and initiatives history only within their scope.
- View devices in attack paths that are within their scope.
- Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups they have access to.
Data freshness and retention
A common question from customers is, what is the data interval and freshness in the XSPM graph. Microsoft is ingesting data from first-party Microsoft data within 72 hours from the source product. Microsoft product data is retained for no less than 14 days in the enterprise exposure graph and/or Microsoft Security Exposure Management.
More information: Data freshness, retention, and related functionality
Microsoft Security Exposure Management portal
The Microsoft Defender portal has a main overview of exposure management, including all the information and a general overview of the data. The portal is currently visible for all customers with a correct license:
From the main exposure management overview there is a lot of data visible, including the total count of assets in scope, key initiatives, and top metrics/ critical asset summary. Initiatives are focused on specific areas like Ransomware protection/ Endpoint Security and Business Email Compromise.
- Key initiatives; cybersecurity threat risk score related to initiatives like; ransomware
- Top metrics; security configuration risk score
- Recent security events; overview of configuration changes in the past days
- Critical asset summary; an overview of critical assets (crown jewels) in the environment. This is defined by critical devices and highly-exposed critical devices/internet-facing critical devices.
- Attack surface map; Graphical presentation of the environment including all assets in a visual map with the attack path view
Tip; check the critical asset summary, often – it includes interesting data. Most important are the critical devices with high-risk/ highly-exposed critical devices and internet-facing critical devices. Make this part of the daily/ weekly check to be sure the critical assets are checked frequently;
Key Components
Attack surface map
Attack Surface map is a visual view of the environment. You can search assets and view relations between the assets:
For example, show the relation related to the domain controller; DC01:
Attack paths
Attack paths are a graphical view that includes potential attack paths that attackers could abuse. An example is privilege escalation & lateral movement techniques to the most important critical assets.
More information: Overview of attack paths | Microsoft
Must read blog from Microsoft/ Dean Rubinstein; Attack path management with Microsoft Security Exposure Management
Exposure insights
The Exposure insights section is a risk-scored initiative, mostly focussing on cybersecurity threats including one or more metrics, each metric includes recommendations to mitigate the potential risk. Example
The initiative is Ransomware Protection:
Ransomware protection includes 93 associated security recommendations which are defined in metrics. Examples of metrics:
- Virtual machine without backup enabled
- Optional missing best practices to protect against ransomware
- Endpoints with agent communication issues
- Essential missing best practices to protect against ransomware
Each metric includes 1 or more recommendations. Example for Optional missing best practices to protect against ransomware
So in short you can see the metrics as a configuration item scored by completeness, each metric can include multiple recommendations as seen in the above screenshot. The initiative Ransomware Protection includes the following metrics:
The current value shows the current state (completed vs not completed) and affected assets that are not compliant with the metric.
The Event section provides a trendline for each initiative or metric score similar to the TVM timeline in MDE:
Critical assets
Microsoft is classifying devices based on the level of criticality, this is critical asset management. Microsoft is using automation to flag assets automatically as critical based on pre-defined classifications and available information.
The goal of critical assets is to bring attention based on all the data and give attention to fix them, critical assets are not compromised yet, only there are having critical exposure.
Microsoft is mapping automatically assets like Domain Controllers, SQL servers, Exchange servers, and roles like Global Reader, Global Administrator, and more. It is possible to include own critical levels for the type of devices. With your own asset rules, it is possible to create your own rules based on conditions (subnet, device name, role, etc.)
Critical asset management can be found via Settings -> Microsoft Defender XDR -> Critical asset management:
Microsoft Security Exposure Management takes a look at the critical assets and uses the data from the graph to get different views and give more importance to the assets and the priority.
Custom rules can be created via the “Create a new classification” button.
Each custom classification can be created based on conditions as part of the dataset. Examples; asset value, device name, role, subtype, device type, exposure level, internet-facing, logged-on User AAD roles, and many more. The goal of custom classification is to enrich the default critical asset classifications with custom critical assets based on your organization’s needs, and assets that are not automatically connected.
All critical assets are automatically visible in the view of assets:
When selecting assets manually, it is possible to set the criticality level manually, so there are in short three ways of classifying:
- Manually via the asset portal
- Automatically by Microsoft via automated classifications
- Manual classification rules
Tip; read the following blog post from Microsoft related to critical asset protection: Critical Asset Protection with Microsoft Security Exposure Management
Critical Asset Protection is available as one of the initiatives in XSPM, if you select the initiative it will show the initiative metrics and their actual status.
Enterprise Exposure Graph
The Enterprise Exposure Graph is the main part of the datastore where all data from multiple workloads is stored. The Expsure Graph is available in the Defendr XDR advanced hunting schemas. This helps to build queries in Defender XDR advanced hunting based on the Expsure Graph, also useful when ServiceNow is connected to gain CMDB data in hunting queries and leverage the dataset from the CMDB in the advanced hunting possibilities.
Currently, the following KQL tables are available:
- ExposureGraphNodes: This table contains information about entities
- ExposureGraphEdges: This table represents the relationships between the nodes
Examples;
Show devices with a privilege escalation vulnerability:
ExposureGraphNodes
| where isnotnull(NodeProperties.rawData.IsInternetFacing)
| where isnotnull(NodeProperties.rawData.VulnerableToPrivilegeEscalation)
| where set_has_element(Categories, "device")
Show all users logged in to more than one critical devices:
let IdentitiesAndCriticalDevices = ExposureGraphNodes
| where
// Critical Device
(set_has_element(Categories, "device") and isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4)
// or identity
or set_has_element(Categories, "identity");
ExposureGraphEdges
| where EdgeLabel == "Can Authenticate As"
| make-graph SourceNodeId --> TargetNodeId with IdentitiesAndCriticalDevices on NodeId
| graph-match (Device)-[canConnectAs]->(Identity)
where set_has_element(Identity.Categories, "identity") and set_has_element(Device.Categories, "device")
project IdentityIds=Identity.EntityIds, DeviceIds=Device.EntityIds
| mv-apply DeviceIds on (
where DeviceIds.type == "DeviceInventoryId")
| mv-apply IdentityIds on (
where IdentityIds.type == "SecurityIdentifier")
| summarize NumberOfDevicesUserLoggedinTo=count() by tostring(IdentityIds.id)
| where NumberOfDevicesUserLoggedinTo > 1
| project ["Number Of devices user is logged-in to"]=NumberOfDevicesUserLoggedinTo, ["User Id"]=IdentityIds_id
List all node labels with an edge to a specific node label:
ExposureGraphEdges
| make-graph SourceNodeId --> TargetNodeId with ExposureGraphNodes
on NodeId
| graph-match (SourceNode)-[edges]->(TargetNode)
where TargetNode.NodeLabel == "microsoft.compute/virtualmachines"
project IncomingNodeLabels = SourceNode.NodeLabel
| summarize by IncomingNodeLabels
For more guidance and example queries with the enterprise exposure graph, view the docs here;
Summary
This blog provided an overview of Microsoft’s Security Exposure Management. The solution is still early, and Microsoft is working hard to bring more value and use cases to the tool and more 3rd party connectors. I use the new XSPM solution daily, and it is a good evaluation scoped on multi-product visibility in the posture of critical assets.
Expect more new features and new blogs soon about the XSPM component. It is quite hard to explain all the futures in one single blog; so expect a couple of more blogs focussing on attack patchs/ insights/ initiatives and metrics.
Make sure to read the below sources from the community and Microsoft.
Sources
Other interesting community blogs;
Sami Lamppu: Microsoft Security Exposure Management (XSPM) Overview – Part 1
Sami Lamppu: Microsoft Security Exposure Management (XSPM) Deep Dive – Part 2
Derk van der Woude: Microsoft Security Exposure Management #XSPM
Microsoft;
Microsoft Security Exposure Management
Introducing Microsoft Security Exposure Management
Unlock Proactive Defense: Microsoft Security Exposure Management Now Generally Available