Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what EASM is, how to use it, and what other pieces are involved to help one see through the fog of war that is your external network security posture.

What is EASM?

External Attack Surface Management is typically a SaaS service for identifying, monitoring, and reporting on the various points of entry that are exposed to potential attackers from outside an organization's network. It can also help find unknown and unmanaged resources outside the firewall. EASM can also identify exposed vulnerabilities on external facing assets. As a SaaS service it requires minimal effort to configure and monitor. 

Image 1 Dashboard from Microsoft’s Defender for EASM
Image 1: Dashboard from Microsoft’s Defender for EASM


EASM vs External Pen Testing

  • EASM vs External Pen Testing
    You might say, ‘I’m already doing external pen testing; I don’t need an EASM’, but the purpose of EASM is different than a pen test, for example:
    EASM maps out all your public-facing assets. An objective of EASM is to find ‘shadow IT resources’ and register them with your CSPM service so they can be properly monitored and provide a complete map of your external attack surface.
  • EASM operations run continuously – once configured with the scope details of your domain(s), EASM will run continuously and provide update reports on a periodic basis.
  • EASM is not performing attack simulations - EASM is focused on finding public-facing hosts, ports, and domains.
  • EASM and pen testing are complementary tools – EASM presents the full breadth of public-facing assets that can be used to plan your pen testing operations.

Using EASM in a SOC Operations Lifecycle

EASM is a planning and investigative tool. Here are some examples of how security teams commonly use it in daily operations.


Using CSPM Asset Inventory to Remove Gaps in Security Operations

EASM solutions usually present their data in a schematized form so it can be queried and sorted in a database. As such, the EASM data can be combined with other information, such as vulnerability data and asset inventories. Together, this information can provide an overview of your attack surface. SOC administrators can then use this asset list to identify configuration gaps in tools such as CSPM, EDR, and SIEM.

Using CSPM for SIEM incident investigations

If SIEM generates an incident containing a hostname, one of the first steps the SOC operator will take is to identify where that host exists on the network. EASM content can be made available in SIEM to provide quick access to that information. In addition, SOAR and AI tools (e.g., Microsoft’s Copilot for Security) can use EASM content to automatically lookup EASM content and apply relevant data to an incident.


External Attack Surface Management is a useful security architecture for understanding your publicly facing security posture. Combining EASM with other security tools can provide a good picture of your entire attack surface and help improve processes used for SIEM investigations.

Microsoft’s EASM Solution
Gartner EASM Reviews

About This Blog Series 
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

All topics mentioned in this series have been mapped to several compliance controls here.

David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.


Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More