Description:

 Microsoft Defender External Attack Surface Monitoring (EASM) is a feature within Microsoft Defender for Cloud that continuously monitors and assesses the external attack surface of your organization. This includes identifying assets, services, and open ports that are publicly accessible on the internet. EASM provides you with insights into potential vulnerabilities by discovering and monitoring internet-facing assets such as websites, servers, IP addresses, and domains. It also provides alerting for exposure risks and the attack paths that adversaries might exploit.

Rationale:

Enabling EASM helps organizations detect exposed assets that could be targeted by malicious actors, preventing data breaches, ransomware attacks, and other external threats. By continuously scanning for exposed resources and potential attack vectors, EASM helps to proactively secure external-facing systems and ensures that security teams can respond to threats before they are exploited.

Impact:

Enabling EASM allows your security team to gain visibility into publicly exposed assets, helping to mitigate risks associated with unmonitored external-facing systems. It can also improve your organization's security posture by reducing the external attack surface. However, EASM may incur additional costs, depending on the number of assets being monitored. It’s important to assess the level of monitoring required for your organization.

Default Value:

 By default, EASM is disabled and needs to be explicitly enabled.

Pre-requisites:

  • Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud is set up and your subscription is associated with it.

  • Permissions: Ensure you have Owner or Contributor role permissions for Microsoft Defender for Cloud to enable EASM.

  • Subscription: Make sure your subscription supports Microsoft Defender External Attack Surface Monitoring.

Remediation:

Manual Steps to Enable Microsoft Defender EASM:

  1. Sign in to the Azure portal:

    • Use an account with Owner or Contributor permissions to access Microsoft Defender for Cloud.

  2. Navigate to Microsoft Defender for Cloud:

    • In the Azure portal, search for Microsoft Defender for Cloud and open it.

  3. Access Environment Settings:

    • In the Microsoft Defender for Cloud dashboard, click on Environment settings.

    • Choose the relevant Subscription for which you want to enable EASM.

  4. Enable External Attack Surface Monitoring (EASM):

    • In the Defender plan settings, scroll down and find External Attack Surface Monitoring.

    • Toggle EASM to On for the subscription or environment.

  5. Review and Configure Settings:

    • Once EASM is enabled, you may configure additional monitoring options, such as setting alert thresholds, defining monitoring scope, or integrating with other security tools for improved threat detection and response.

  6. Save Settings:

    • After enabling EASM, ensure all changes are saved and that the service is actively monitoring the external attack surface.

Verification:

  • Verify EASM Activation: You can verify that EASM is enabled by checking the Microsoft Defender for Cloud dashboard and ensuring that external-facing resources and attack surface details are being monitored.

Backout Plan:

To disable Microsoft Defender External Attack Surface Monitoring (EASM):

  1. Sign in to the Azure portal with appropriate permissions.

  2. Navigate to Microsoft Defender for Cloud:

    • Go to Microsoft Defender for Cloud in the Azure portal.

  3. Disable EASM:

    • In the Environment settings, click on the relevant Subscription.

    • Toggle EASM to Off.

  4. Save Settings:

    • Ensure that the settings are saved and EASM is no longer active.

Disabling EASM stops the continuous monitoring of publicly accessible assets but may reduce the overall visibility of potential attack vectors.

References: