Hello and welcome to the let's Talk Azure podcast with your host Sam Foote and Aaron Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode 29 of season five. Sam and I had a recent discussion around external attack service management. Here are a few things we covered. What is external attack service management? What is Defender EaSm and how can it help identify your risks? How did you set up Defender ESM and how much did it cost?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, how are you doing this week? Hey, Sam. Not doing too bad. How are you? Yeah, good, thank you. Anything exciting happened in the world of technology in the last week?
Not that I'm aware of. Don't think so. It's been busy, busy at work, so it's been keeping up with too much.
Yeah, I haven't really heard of too much. On the Twitter sphere. I see people talking about, what's Twitter? Oh, yeah, sorry, I'm still living in the. I don't know when. Yeah, I don't think I've heard too much, to be totally honest with you. It's been quite a quiet, the whole crowdstrike debate conversation is quiet and down a little bit. I know there was some back and forth publicly between, is it Delta Airline CEO and, and Crowdstrike. But, uh, but yeah, apart from that, I did see some quite cool, actually. No, I did see some quite cool, uh, copilot x exploitation at Defcon. I thought some of those, uh, uh, use cases were quite interesting because when I've been talking to people about Copilot, I have been sort of saying that I had, I had sort of a thought that mass exfiltration of data would be like a sort of a concern via copilot, if that makes sense, because it's essentially a way to very quickly search sharepoint, basically in its most basic sense. And it was interesting. I can't remember the name of the tool, but somebody's weaponized or at least scripted. I haven't looked at it in detail, but like a rapid way to start to exfiltrate data with copilot, you know, like a bad actor utilizing a script. So be interesting to see what entry point they hook for that, to actually do the querying, if that makes sense, because I don't know if there's, I haven't, I haven't inspect, I haven't inspected the web traffic or anything like that to see what the API endpoints are. I assume there's not like a graph API for it. I don't know.
Yeah, I guess this comes back to protecting the endpoints in some form, you know, unless it's a, you know, they've got in and I've got access, you know, via a normal web browser from anywhere sort of thing.
Yeah, I think it's just, yeah, it feels like to me like classic identity protection really, isn't it? You know, as soon as you know this, this isn't a, this isn't a the type of attack that, you know, exploits like a vulnerability in a piece of software or product. Right. This is just utilizing a product in a nefarious way. So it is interesting to see, and I'm not really sure how you protect against it in terms of a, you know, let's, you know, somebody's actually got access to the account because I think a lot of the more rigorous visibility and monitoring comes from e five technology, to be honest with you. So be interesting to see if there's going to be a solution for our e three, you know, customers. So, yeah, just interesting to see it actually being, you know, that scenario to be worked through.
Yeah, I think you're right around. It's the, it's the identity because it's the access, you know, you have to data as well, isn't it? So, yeah, it's that plus how you gain access to the account. But then it, I suppose the second part might be if there's a way to run it on a user's device to then access the information, things like that.
Yeah. It'd be interesting to see what level of access you do really need. Do you just need the identity, you know, and then with that comes the whole, you know, session control conditional, blah, blah, blah, all those types of things. Right? Like, you know, does this sit outside of all of that? I assume it does. I don't know. I need to have a, need to have a play with it. Cool. Alan, what are we talking about this week?
So we're going to talk about external attack surface management. So it's pretty new to myself. So yeah, we're just going to go through Microsoft's sort of defender easm tooling and what it does, how it helps you kind of thing. Okay. So, yeah, should we just start from, you know, sort of, I say the basics. I don't know, that could be a loaded, loaded statement. So what is attack surface management?
Yeah, so really let's break it down into what I guess an external attack surface is. And really that's around your digital assets that are Internet facing. So that's your, you know, that's your virtual machines, that's your websites, that's your, your applications, things like that. They're exposed to the Internet and in effect, you know, it's an attack surface. So I guess from a, if we kind of take it away from being Internet facing kind of thing, and we talk about like endpoints, we have attack source reduction rules for defender, for endpoint where you're just blocking mechanisms on that device to even run certain potential attacks and things like that. So reducing your risk at that point. So external access service management, EASM is in effect the process of searching for your assets in their infrastructure, things like that, but also in effect, building your infantry there, understanding what is part of your attack surface, your external attack surface, and then looking at your vulnerabilities and your prioritization of what you should be fixing in that environment, um, as well as sort of evaluating whether actually you got assets that you didn't know about or you shouldn't have. Still, that may be a potential attack vector for someone to, to get in. So it's really around sort of gain that visibility. Yeah. For your external attack surface as it has, it kind of sounds. So that's really sort of it. I guess initially it's more of a discovery tool and a monitoring tool to make sure that you're tracking you that side of it. So.
Yeah, because I suppose organizations perimeter or, you know, external perimeter is completely, you know, disconnect, disconnected. Yeah, I don't know, stretched apart, you know, is this more complex now because we've got multiple different data centers, cloud providers, you stretch your perimeter a lot wider.
Yeah, exactly. And you might be consuming a SaaS software as a service solution with your domain, say, then you might not be able to, you may not have identified that as an asset or an external, potential externally facing asset thing. We all know probably if we in a Iaas or PaaS or on premise environment, what is exposed to the Internet because we've configured it, but there might be other assets that we don't know about or we haven't tracked. And in effect, this sort of solution sort of does that for you. And when we talk about how we set it up, how we get it to work out where our assets are in effect.
Yeah, exactly. Yeah. So what is Defender Easmore and how does it help to reduce risk?
Yeah, so defender EASM is Microsoft's version of an external attack service management. It's hosted in Azure and it is a consumption based something that you buy free consumption. And what it does is as I said, it allows you to set up some discovery, discovery schedules as well as provide new that inventory. So what that can look at is it goes through Microsoft's intelligence security graph and actually looks at whether your assets have been identified within that threat intelligence data that Microsoft has to either identify if it's been, no, there's leaked information about it or potentially, you know, vulnerabilities and things like that. So that's one part to it and you can feed it. So in effect what you have to do is sort of seed it I guess. And the sort of assets, assets that it can, you know, track is domains, IP blocks, hosts, email contacts, asns and whois organizations. So it allows you to then track all those types of assets in there and then they get discovered and then you can then understand, like I said before, you know, what, what is out there that one, that you don't know about and two, that you can check off your list that you know, confirming that it is sort of, sort of out there. So yeah, that's kind of, that is what, you know, defenders do in there and it can then in effect feed into other services. So either does today or is it can feed into things like the exposure management, I believe in Defender XDR. But also you can, there's a plugin for copype for security so that you can query that data using copy of security as well as part of your sort of maybe your prompt books or just to generally just check those assets there or you check get them against some of the other information that you can ask co pilot for security.
Nice. So yeah, once you've built this intelligence database of intelligence, you can then utilize it in other products in, you know, the sort of Microsoft ecosystem I suppose that, yeah, just keeps everything connected and enriched across all product, well all of those different products I should say.
Yeah. And as part of that discovery it does a weekly scan of it all again. So it's continuous monitoring of it there. And in effect what you get is a dashboard of your assets and things like that. But what you can do is it then gives you some information around them. So let me just find my instance of it because I ran it against my sort of information. So it gives you a, what's it give you? It gives you a posture management. So it's kind of doing you know, kind of same thing as sort of defender, defender for cloud does around your, your cloud environments, but then is adding posture management for your external assets that may not be part of Azure or a cloud environment. So initially gives you like a breakdown of domains, hosts and things like that. It can also grab SSL certificates that are part of those domains so you can see that they're being used or if there are some bespoke ones out there that you're not aware of. And it's interesting because adding your contacts in that maybe you might have exposed to the Internet also allows you to see what pages they might be on, on your, your website, things like, or if they've been mentioned on web pages and things like that. Yeah, it goes through sort of 149 sort of checks or observations and may it's around some main sort of CVE's. So it does some checks, like I said, it checks against those CvE's against your assets. So mainly around your hosts or what's on the ends of ips and things like that. It gives you like a score then against how risky that environment is. Some of the dashboarding that you've got is you've got GDPR compliance. So maybe some things around SSL's certificates, whether your sites are active and things like that, where there's any errors on the browser when you try to go to those websites. And there's also some things around PIi data and things like that in there. So it's really giving you an idea of what those endpoints do or don't have on them. One other thing is that you can do, they've got a list of, or a dashboard for OWAsp, top ten sort of checks there. And again, it will tell you which assets may have, you know, cryptography failures or injection or insecure design kind of stuff within it. And yeah, that's really, you can tag your assets as well. So maybe if you've got specific applications, things like, and you'll kind of want to filter them so you can understand whether an application has an issue or you've got different teams look after them and then, yeah, it just keeps updating, like I said, weekly. Or you can just do a one off run against the data there.
Nice. So yeah, there seems to be loads of intelligence and value that you can gain from it. Right. You know, all the different types of, I call them entities that it can track, I suppose, and give you all of that reporting. And I suppose in relative real time alerting to it, that seems really powerful. Is it easier to set up, what's the steps for getting it going?
Yeah, so it is really quite easy to set up. In effect, what you do is you create an instance of it and you can have multiple instances if you want to. So maybe if you want to do it by sub organization, things like that, or maybe by application things like that, maybe, or just a sort of whole organization. But in effect, once you create your instance, you then have to provide information. So in effect, seed, seed, the discovery part. So when you're doing that, you provide the various information that I kind of mentioned before. So you can do an import of your seed, but in effect it's like organizational information. So it's like if you've got a LinkedIn page, your website, things like that, so they can kind of gather information around that. You can then specify your domains, IP blocks, hosts, email, contacts, asns and, and who is organizations. In effect, you can put as much or as little in there. And for some of the sort of seeds you can exclude assets or, you know, IP, things like that, because there may be a reason for like you don't want to look at your dev test, maybe as an example or maybe there's a subset of your organization that you don't want to discover. So once you've put all that information in and then in effect set it to a week or as a one off run, you can then you get it to leave it to run and then within, you have to leave it 24 hours for the scan to then go through the intelligence query graph and then the various other sort of data sources that Microsoft uses to collect that data. And then when you, after 24 hours you come back, you can then start seeing your assets and the information there. Once you've done that, if you've forgotten an asset or one of those IP range or you want to exclude one, you can go back in and modify that seed and then wait for the next run in a week's time update and then that's just left to run. Really.
It feels like to me gathering the list of required configuration parameters. I don't know what they're referred to as. Seeds. The seeds. That's probably going to be the biggest part, isn't it? Maybe. Especially if you've got a large organization, there could be quite a lot that you, you want to track.
Yeah, absolutely. That list is going to be sort of key. I mean, you can obviously start with, you know, the main things that you'll know about maybe your main website, maybe the IP ranges that you've, you own, things like that, or you know, assets that you know about quite quickly to get, you know, gets the information starting to come in. But like I said, you can then expand it later on either with new, new sort of asset groups where you can in effect, you know, create another discovery schedule just so you can keep an idea of, you know, these are, this application, this is core, you know, organizational sort of sites, things like that if you want to. But yeah, keep tweaking and updating again. You might get something that you, you find a load of assets that you don't, that aren't yours but are maybe related to you. Maybe, maybe it's like a partner organization or something and you don't want to be able to track their assets. So you can start excluding those URL's or those IP ranges at a later date to kind of tweak, you know, it to your data, to your, your tax surface, in effect.
Nice. And I suppose the million dollar question might be, I don't know, hopefully not, is how much does it cost?
So you get a 30 day trial whenever you set one up. So you can see at least what information you can collect and sort of your, I guess, your posture around it. But in effect it is 1.1 cents per asset, per day. So you may only put like, I know, 1020 seeds in and thinking that you might only get ten or 20 things back or it might come back with a lot of assets. I think we've seen with some organizations that they've maybe put in, you know, 100 say 100 assets, different ips, different domains, things like that. And it's come back with thousands of assets kind of thing. So, and I think it's, every time it scans it obviously changes the asset list or updates it. So, you know, so an item or an asset could be there for, you know, up to a week. If it then disappears, I mean we wouldn't expect things to disappear. It'd be more that we'd probably be, you know, additional things there, unless you're changing your, your seeds there. So it doesn't sound relatively, doesn't sound expensive on that part. But like you said, if you've got a large organization or you are heavily have a large, I guess, attack surface, external attack surface because of your applications, your services are, you know, Internet exposed, it may ramp up that price or that cost there, but within the, within the actual defender eaSm, there's a billing assets part. So you can actually see what you're going to be billed for. So you can as, as well, you can tag assets as approved and unapproved which I think I have to double check. But in effect it's only approved assets that get billed. But I think by doing that you can, the data then around them is then sort of removed. That makes sense. You don't get any of the ability to see the additional information around those assets.
So could you. Sorry, could you just give me like a numbers example? Like if I've got 1000 assets how much is that going to cost me a month? Thousand assets would be. Eleven pound, $11, $11 per day. Okay. So that's what about 300 and something dollars a month ish. Just say 30 days. 330. Yeah, $330 a day. A week I get. Right. A month. Okay. Yeah.
And I think if you had a thou. I don't know, it's a thousand assets. It's not just resources, is it? It's not just like web servers is it? You know, everything in your organization.
Yeah. So kind of the different types of assets could be like I said, a contact, an SSL certificate, hosts domains, asNs, IP addresses and IP blocks but it also does pages of a asset of a site. So if you've got a large website with loads of you know, web pages, example potentially it's going to try and it's going to track all of those as well. Got it. Right.
So, so for instance for my, like for my domain I've got 18 assets and that included my contact details, my very, my. Which web page which isn't there anymore for it, but my HTTP and HTTPs pages for UK and co. Uk it's got some. My configuration for hosts and, and that for my, for my Microsoft tenant. So like my auto enrollment kind of stuff and things like that. And yeah my domain and hosts so I've got quite a few in there. I haven't got anything on who is because I'm privately hiding, you know that those parts of it but I expected would potentially seen that so. Yeah, and that was just with three or four assets I think.
Okay. Yeah. I suppose you are more of a technical user though, aren't you? So. Yeah, I've got nothing on those bits. Yeah, absolutely. But as an example you know it's just very, very light there. Okay, nice. Anything else we need to go over, Alan? More of a shorter one I suppose. But that's no bad thing, that's for sure. But anything else you want to cover?
No, I don't think there is anything else. Like I said it's relatively simple to get started and again you get a 30 day trial so you can, you can get in there and see what sort of asset numbers you might get, which also might be where you want to start tweaking your seeds and things like that and put exclusions in. Maybe. But no, like I said, it, I think it integrates with the exposure management side of things. There was some things around it going into defend for cloud at some at one point. And like I said, you can query the data using copy of security as well.
Nice. Cool. Okay, Sam, what's the next episode? Next episode I'm going to do Azure container storage. So I did a storage accounts or Azure storage last week. So we're going to start to jump through the different various storage mechanisms. So yeah, so if you've got containers that you're running in Azure and you need to think about and manage volume storage, that's what we're going to cover next week.
Okay, great. Okay. So if you did enjoy this episode, please do consider leaving us a review on Apple, Spotify or YouTube. This really helps us reach out to more people like yourselves. If you do have any specific feedback suggestions, we have a link in our show notes or you can put a comment on the episode. Thanks Alan. And thanks if you've made it this far for listening and we'll catch you on the next one. Yeah, thanks. All.