Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what EASM is, how to use it, and what other pieces are involved to help one see through the fog of war that is your external network security posture.
What is EASM?
External Attack Surface Management is typically a SaaS service for identifying, monitoring, and reporting on the various points of entry that are exposed to potential attackers from outside an organization's network. It can also help find unknown and unmanaged resources outside the firewall. EASM can also identify exposed vulnerabilities on external facing assets. As a SaaS service it requires minimal effort to configure and monitor.
Image 1: Dashboard from Microsoft’s Defender for EASM
EASM vs External Pen Testing
- EASM vs External Pen Testing
You might say, ‘I’m already doing external pen testing; I don’t need an EASM’, but the purpose of EASM is different than a pen test, for example:
EASM maps out all your public-facing assets. An objective of EASM is to find ‘shadow IT resources’ and register them with your CSPM service so they can be properly monitored and provide a complete map of your external attack surface.
- EASM operations run continuously – once configured with the scope details of your domain(s), EASM will run continuously and provide update reports on a periodic basis.
- EASM is not performing attack simulations - EASM is focused on finding public-facing hosts, ports, and domains.
- EASM and pen testing are complementary tools – EASM presents the full breadth of public-facing assets that can be used to plan your pen testing operations.
Using EASM in a SOC Operations Lifecycle
EASM is a planning and investigative tool. Here are some examples of how security teams commonly use it in daily operations.
Using CSPM Asset Inventory to Remove Gaps in Security Operations
EASM solutions usually present their data in a schematized form so it can be queried and sorted in a database. As such, the EASM data can be combined with other information, such as vulnerability data and asset inventories. Together, this information can provide an overview of your attack surface. SOC administrators can then use this asset list to identify configuration gaps in tools such as CSPM, EDR, and SIEM.
Using CSPM for SIEM incident investigations
If SIEM generates an incident containing a hostname, one of the first steps the SOC operator will take is to identify where that host exists on the network. EASM content can be made available in SIEM to provide quick access to that information. In addition, SOAR and AI tools (e.g., Microsoft’s Copilot for Security) can use EASM content to automatically lookup EASM content and apply relevant data to an incident.
Summary
External Attack Surface Management is a useful security architecture for understanding your publicly facing security posture. Combining EASM with other security tools can provide a good picture of your entire attack surface and help improve processes used for SIEM investigations.
References
Microsoft’s EASM Solution
Gartner EASM Reviews
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.
