Practical Protection: Reducing Your Attack Surface With Microsoft Security Exposure Management

Let’s Talk About Attack Surfaces

“Attack surface” is a common phrase used by security folks to refer to how much of a system is exposed to attackers. Bigger surfaces are worse. You can think of the attack surface of a network as a representation of vulnerability. If you take a single Windows Server, disconnect it from any network, and lock it in an underground bunker, it will have a fairly small attack surface. If you take an image of that server and host it in Azure as a VM, its attack surface will be significantly larger.

Things That Enlarge or Reduce The Attack Surface

The more routes an attacker can use to target a system, the bigger its surface is. This probably sounds self-evident, but a few examples will help clarify what I mean. In the example I mentioned above of a server in a bunker, the attacker can’t use network-borne attacks at all; she has to get physical access to the machine. The moment someone plugs that server into a network, the attacker has new possibilities. The same is true when the server is reconfigured: every additional Windows service you run, and every application you install, may introduce new vulnerabilities, which means the attack surface grows. The same pattern holds as you add new capabilities or services to your network. By the same token, you can reduce the attack surface by removing potential vulnerabilities.  For example, Microsoft went through a series of phases with Windows Server where much of the attack surface reduction they performed consisted of setting system services to start manually or on-demand instead of leaving them running.

There’s another way to reduce the attack surface, too—ensuring that your servers and devices are configured correctly. We’ll come back to that thought later.

What Microsoft Has Introduced

The new Microsoft Security Exposure Management (MSEM) tool, which is in preview and for which no pricing has been announced, is meant to be an aggregator of security data that you already have… as long as you’re using Microsoft security tools, that is. The blog post announcing MSEM describes a set of features for mapping, viewing, and understanding the relationships between assets, and then tracking their exposure to attack. Because so many attacks involve multiple steps (including lateral movement, privilege escalation, and so on), MSEM presents exposure using a path-based metaphor, very similar in concept to the way that SpectreOps’ BloodHound Enterprise works. One key difference is that MSEM can ingest data from various other Microsoft security products (including Entra ID sign-in and audit logs, Defender for Office, and Defender for Endpoint) to develop a picture of the assets you have and the paths that an attacker might use to compromise them. Interestingly, MSEM can also ingest data from selected products from Qualys, Rapid7, and Service Now.

Whereas tools such as Sentinel can help you respond after an attack, the point behind MSEM is that you can use it (in conjunction with other tools, such as Microsoft Secure Score) to identify possible paths of attack and then harden assets on those paths—or, better, eliminate the path altogether—before an attack.

Do You Need Microsoft Security Exposure Management?

That sounds like a premature question since Microsoft has just introduced it, and hasn’t revealed any details of pricing or availability. A better way to ask the question is “What can I do to reduce my attack surface without MSEM?” As it turns out, many of the most common components of attack paths are already things you can inspect and fix without needing Yet Another Microsoft Security Tool (YASMT).

For example, to reduce the risk of Storm-0558-style attacks on your tenant, you can inventory Entra ID application permissions (and, where appropriate, remove or reduce them). While you’re at it, you can remove consent for Entra ID application objects that are outdated or unwanted, and then you can move on to checking your application consent settings for correctness. These steps have zero cost but can eliminate several common attack path components.

Another example: if you have Configuration Manager, Intune, or a third-party equivalent, you can identify (and remediate) computers that aren’t properly patched. You can use the Office configuration tools (config.office.com) to look for machines that don’t have the correct Office 365 patches. Depending on the type and number of devices you have on your network, you may be able to do something similar with device firmware versions. Again, there will be little to no additional cost for tooling to do this, but fixing your patch management practices will pay off by eliminating another set of attack paths.

A third example: find and shut off all the devices on your network that aren’t being used, don’t do anything useful, and/or are out of security support from the OS vendor. That includes file servers, NAS devices, printers, and anything else that connects to a network. Ever since the legendary casino fish-tank thermometer hack, we’ve had proof that any network-connected device can be a node in an attack path, so it’s always a good time to look for and remediate or remove these nodes.

There are plenty of other examples. Anything you can do that interrupts the path of an attacker from source to target will be of value. The value behind MSEM, BloodHound, and other similar tools is that they wrap up the process of identifying attack paths in a visual interface, which is certainly useful, and they do much of the work of identifying potential paths for you. These are nice capabilities to have, but even without them, you can still markedly improve your overall security by spending a little time identifying the most obvious potential paths and removing or repairing them. This will be time well spent whether or not you end up buying and deploying Microsoft Security Exposure Management, whenever it may come.