Unless you work at a high profile, multi-million dollar company, it’s easy to think that attackers aren’t very interested in you, but organizations large and small get attacked. It’s a truism that security needs to start with an audit because you can’t protect what you don’t know you have: You need a full list of your hardware and software assets on your own infrastructure and in the cloud.
But instead of thinking about lists of devices, databases, servers and other assets, you can get better defenses by looking at your inventory from the outside in, the way an attacker would, thinking about what security weaknesses your assets have, what they’re connected to and what would be exposed if they were compromised.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“Security is hard,” admits Rob Lefferts, CVP of Microsoft 365 Security. “We need to help security teams and defenders of all kinds change the game in how they think about what attackers are doing…. How do we think the way that attackers do, and how can we look at our own organizations the way that an attacker would see them?”
Two new Defender cloud security services (based on the RiskIQ acquisition) promise to help with that. Microsoft Defender Threat Intelligence brings together all the different data sets you need to check out a domain, host or IP address that you think may be compromised, complete with metrics to help you know what you should worry about, as well as information about attack groups, malware and vulnerabilities.
Helping security teams understand what attackers are out there and what their objectives and techniques are helps them better defend their systems, Lefferts suggests.
As well as the usual trial for the Defender Threat Intelligence service, there’s a community portal with many of the background articles.
“We make sure that anyone, regardless of whether they’re paying or not, is able to access some information within the portal.”
How to view your security from the outside
Defender External Attack Surface Management scans your infrastructure from the internet the way an attacker would, looking for all the assets that are connected to your organization and checking them for known vulnerabilities and compliance issues. That’s particularly important with more employees working remotely and needing to connect to company resources online — something almost eight out of ten organizations are worried about securing.
“We’re introducing new technology that allows someone to identify and discover unknown or unmanaged resources that are out there on the internet,” Brandon Dixon, principal program manager for Microsoft Defender Threat Intelligence told TechRepublic.
The attack surface dashboard shows high, medium and low severity risks with information grouped into what Dixon calls an insight, which might be a known vulnerability or a misconfiguration.
“We allow you to drill down from that high level insight directly to the assets that are impacted,” he said. “And throughout that process, you can actually see a visual chain of why that asset is not only in the inventory, but what other assets it’s related to as well.”
Sometimes the reason an asset is exposed to attackers is because it was misconfigured, but often it’s the pace of business and the pressure of the pandemic accelerating the trend to use cloud services faster than security teams can cope, Dixon explains.
“Maybe they had a good corporate process for managing employee resources, but when it came to things like marketing events or shadow IT generally, that was a blind spot,” he said. “Most of our customers just don’t even know what is actually out there from a shadow IT perspective – but of course the attackers can see it. That outside in view goes a long way.”
How to help your security team
While many security teams have good processes, the growth of the attack surface they need to manage leads to fatigue. EASM can help augment existing tools and processes by prioritizing problems, Dixon explains.
“If you think about the number of vulnerabilities that are constantly coming up, you have an existing team, you have an existing workflow you’re trying to keep on top of that, but for most teams that we talked to that is a process that’s quite difficult,” he said. “The EASM component helps prioritize where to spend their efforts and where to remediate things quickly.”
It also helps with risk and governance without needing to create a new team. And the service doesn’t only scan your external attack surface once. Because IT systems are dynamic, the service scans frequently.
“As your attack surface evolves, our visibility goes along with it,” Dixon said. “It lends itself well to beginning to automate more.”
That way you can be proactive, reacting to an alert for a workload that accidentally made its way onto the internet, rather than reacting to a compromise of that system. Even the free trial will give organizations an idea of how exposed they are, Lefferts says.
“You can go as far as running the discovery, seeing the assets that you have at your disposal, gaining a quick understanding of what your external attack surface looks like,” he said.
How to avoid painful security surprises
If you don’t know what assets you have, you’re not patching them.
“The moment that a CISO gets a full inventory of their public facing infrastructure is a little bit painful, but it’s an important part of the growth process,” Lefferts said. “As we think about the concept of managing your security posture — how do you make sure your entire estate is secure? — it really does start with this journey of discovery.”
But in the longer run, Microsoft wants to help security teams deal with the increasingly fragmented technology picture.
“Sometimes I feel guilty,” Lefferts said. “We’ve developed so much technology and so much capability not even just within security… organizational behavior becomes really complicated. Tools like EASM help us build those graphs that connect it together and really help those large organizations function in a way that doesn’t let the attacker slip through the cracks, which is exactly the problem today.”
Microsoft is also planning to turn its tools onto the attack groups organizations can learn about through Defender Threat Intelligence, Dixon suggests.
“Much like we map an organization on the internet, potentially its vendors and suppliers, we can do the same thing for the adversaries leaving them basically nowhere to hide,” he said.