Proactive Protection with Microsoft Security Exposure Management: Part 2

[Show theme music] HEIKE RITTER: Hello! Welcome back to the second part of our Microsoft Security Exposure Management episode.

We had Tomer here, and we still have him, and we already talked about what it is and what it looks like, but we were in the middle of a demo, and then we ran out of time.

So now let's get right into it.

TOMER TELLER: Yeah. HEIKE: Tomer, please, take it from here.

TOMER: Now you have a long list of devices, but eventually, no one just comes here to look at a set of devices.

How do you differentiate between the ones that are important and the ones that are less important?

And this is where critical asset management is kind of step into the Exposure Management, and we build it right into the product as a core capability.

I'll click here on "Classify critical asset," and what I'm going to show you over here is a new capability that we launched as part of the public preview.

And the idea behind it is to automatically flag critical assets that are deemed critical from an attacker perspective.

So, if an attacker would compromise the organization, these are the assets they will go after.

So what we're doing is, before an attacker gets into the organization, we're pre-detecting those, classifying those, and we're giving the edge back to the defender.

We're now telling them we found those critical assets.

They are not compromised yet.

They have critical exposures.

Go fix them now. Right?

HEIKE: And the critical asset is discovered based on whether there is protected data on it or there is a user with, like, high privileges signed on?

What are your criteria to define such an asset?

TOMER: So, we have a long inventory of classifications.

This is kind of what our research team are building continuously.

Every data source brings new bit of information that allows us to build new classifiers.

For example, we can detect domain controllers, we can detect different servers, we can detect administrators, of course.

You can go and find global readers.

HEIKE: Okay.

TOMER: You can find the devices with critical information.

That information is information that came from Purview, for example, or devices that are internet facing.

That information came from Defender External Attack Surface Management.

But naturally, we have a long list-- as you can see, more than 200 classifications.

HEIKE: Wow. TOMER: We keep adding more, but naturally we will not fit every organization.

This is why we acknowledge that the business knows best what is critical for them.

So we also provided the ability to create your own criticality level.

So for example, perhaps a certain organization will have a certain naming convention or IP ranges or a certain kind of information that lives within the assets that will classify it as critical.

And we also provided the ability to build your own classification.

You can go and build your own criticality criteria if this and this or that will allow you to create this rule.

Of course, once this query hits, you'll be able to go, mark which criticality level it is, and this critical context will go and will be refreshed in the exposure graph, and then everything changes.

All the experiences will surface that criticality.

All the exposure formulas that compute risk prioritization will take advantage of this factor.

I will show you soon how Attack Path leverages that in order to start building attack paths toward that critical asset because the million-dollar question is, okay great, how can this critical asset can be compromised?

So there are a lot of things once you have that bit of important information that can help kind of emphasize and build on top.

So, let's head back to the device page, and now, once we classify all those assets, now it's time to actually see them.

So we can actually go and filter by the criticality, and we can actually see they're automatically tagged.

And if you create a new custom rule, a couple of minutes later, that tag will propagate across all the experiences and formulas, and the risk prioritization formula will start taking that, you know, criticality level into account, and they should, because eventually, critical assets should get more weight in a formula because it's important to fix things before that.

But naturally, what do we do with this criticality, I mentioned, right?

You have these devices, you have this criticality.

One of the things kind of that we built the system for is our ability to detect attack paths.

Attack paths, you can imagine, as I mentioned earlier, similarly to an incident that brings together alerts into a story, an incident.

The attack path's doing the same thing for pre-breach.

We're taking issues, finding security problems from different silos, and stitching them together into an attacker story.

This is how an attacker will stitch together, kind of chain together all these findings to compromise your organization.

But what can they compromise, right?

Every asset? Eventually, you need to reduce your world.

So what the attack path is doing, it's reducing it to to those critical assets.

So you can imagine that what we're doing, essentially, we're looking at a graph.

We have an algorithm that automatically tried to compute, given a certain entry point, an internet-facing device with a vulnerability, a compromised identity.

How can an attacker reach those critical assets?

And it automatically tried to find all these paths for those critical assets.

So, if you go into the Attack path analysis page, you can actually see the Attack path management overview that gives you kind of overtime analysis: How many new attack paths were created?

What are the most kind of severe attack paths?

But you can also jump directly into the Attack path page to actually see all those attack paths that we detected.

Now, the secret sauce behind it is an algorithm innovation that we added into the graph that automatically runs on the graph.

And similar to a chess game, we codified what are the legal moves an attacker can take in a network based on the context that we have.

The algorithm tried to exploit that information and find all of these possible paths.

You can imagine you can find five, six, seven, eight paths, something that a human being will find really hard.

The man in the chess game thinking eight steps, eight moves ahead.

Same thing, the algorithm tried to exploit.

So you can imagine you can find places where a device has a certain vulnerability--it's open to the internet, it has a secret that allows us to jump to another device that has a token that allows them to connect to a cloud resource that have access to another token to another.

Something that a red team will take, you know, months to discover, the algorithm will automatically detect it.

So what you see in this specific demo tenant is a set of the results that we detected.

You can actually see, for example, "Internet-exposed node" that is running a container with a vulnerability that has access and allows lateral movement to another assets, and the story can become much more complex.

Let's try to find an interesting attack path over here.

Here's an example of one: You can actually see its a three-hops attack path.

You can see that there is a certain virtual machine that can authenticate as a managed identity that has permission to a certain storage account.

What does it mean?

It means that if this virtual machine, which is internet exposed and has high vulnerability, will be compromised--we talked about transitive risk-- that storage account will be compromised.

Naturally, you want to go and fix that vulnerability.

It's a high-severity vulnerability, and we keep adding more and more constraints into this attack path, and we are going to provide more tools to go and kind of loosen them up so it'll create more attack paths, and then customer will be able kind of to customize what an attack path is for them.

This is what we keep hearing from customers.

They want to build a tailor made it in order to build processes in their organization, and for that they need maximum flexibility and maximum customization.

HEIKE: And this wouldn't be so high in the list if it was only an internet-exposed Azure machine, but there was no vulnerability on it, right?

So, all of this is being added together, as well.

TOMER: Correct.

So, you can imagine that based on the criteria of what an attack path is, maybe it wouldn't even trigger an attack path or maybe it would be an attack path, but low.

And imagine it an hour later, there's going to be a zero day that will affect it. It will immediately bubble up because naturally, now the risk immediately intensifies.

Now, one of the things that we keep hearing from customers, great, you're connected to our entire attack surface.

You found and discovered millions of devices.

These millions of devices introduced millions of, you know, security findings. Attack path helps reduce that world,

security findings. Attack path helps reduce that world, right? Now you're not looking at millions of findings,

right? Now you're not looking at millions of findings, you look at hundreds of attack paths, but even hundreds can blow up into hundreds, thousands, and maybe 10,000.

So, another...in order to kind of live, even filter down that funnel, we also introduced the concept of "choke-point analysis."

Choke point is essentially an asset that multiple attack paths go through, which means that if we'll fix this, we'll break many different attack paths.

So perhaps this is another great tool for teams to even more focus and prioritize those critical choke points that lead to many different critical assets.

In this case, for example, we can see a vulnerable container.

If we click on it, we can actually see that we can build the blast radius around that.

If someone will compromise this choke point, where can they go?

HEIKE: Mm hmm. TOMER: Right?

So, we actually built a tool within the attack path that helps you build that.

And once you click on that, you actually get the full attack surface visibility.

Imagine kind of a blueprint. Remember the fog of war?

The attacker has it when they land inside a compromised environment. They don't have everything.

HEIKE: Wow. TOMER: They don't even know sometimes where they want to go.

With Exposure Management, we're actually providing the attacker visibility to the defender, right?

We're connecting the dots for them, and they actually have what the attacker wishes they had when they got inside the organization.

So, it's really time for them to be more proactive and run harder, protecting their assets.

So in this case, we can actually tell the customer, so remember that vulnerable container?

It has a lot of DevOps pipeline connected to it, which can authenticate it as service principle and has permission to those storage accounts.

And you can actually go expand all of these storage accounts and play around with them, understand how they can be accessed, understand who is the owner of each one of them and start exploring that in the map.

You can actually go and explore and do threat modeling, understand what do I need to do?

What are the compensating controls that I can actually do within the path to break that chain?

We're providing all that information within the attack path.

Wherever you go, you can actually click on every node, understand the attack path that goes through it, understand the vulnerabilities, the misconfiguration that you need to fix and everything, and so on and so on.

And if, naturally, as the organization expands, you can go and expand and play around with the attack path.

Very useful tool.

We see our customers using it for a different variety of use cases, from threat modeling, red teaming, doing what-if analysis, change management, vulnerability management, security investigations.

So many different use cases that we're exploring.

We're planning to invest heavily in this component going forward.

HEIKE: Wow. Where do you even start?

Like, I saw this is a demo environment, obviously, which doesn't have so many machines as some of our big customers have.

I can imagine that there's a lot of assets and a lot of risk and a lot of paths and all of this.

Do they start with, like, yes, make sure you mark all your high risk, the crown jewels or something, mark them, sort, and then, from the top to down, or like what's your recommendation?

TOMER: So, great question.

So there's couple of ways to tackle that, right?

So there's no one way to do that.

First of all, everything, every list that I showed you is risk based, prioritized by risk, right?

Prioritized by the impact, the exposure, the vulnerability, the criticality, and many other factors that help us understand, hey, start with this before you start with that.

And naturally, the world is dynamic.

That landscape is dynamic, and IT is dynamic.

So it means that every hour that you come, things might change based on, you know, the reality, based on the dynamism of the environment and the threat landscape.

So first of all, you start with the list.

We prioritize everything, we prioritize everything.

Another way to look at it is not from the attack surface but from the threat landscape, and for that, we introduced a new concept that we call "threat initiatives."

Essentially, imagine that we surveyed all security teams, the CISOs around the world, and we asked them what is their top priority in the next fiscal year?

And they provided us a list of kind of initiatives or projects they would like to promote, they would like to monitor, they would like to govern, they would like to do a project, program management on top of.

And what we did, we codified those into a catalog, into the Security Initiative Catalog.

These are based on feedback we got from a lot of customers, and instead of just building a view, many of our customers, you know, they collect the data, and they build power behind reports to their leadership.

We understood we have an opportunity to do more than that and to actually not just report on the program but push the program beyond the boundaries, and for that, we developed that concept.

And the idea behind it is pretty simple.

Let's take, for example, business email compromise. This

is one of the, I would say, top asks from our customers: "How am I doing against business compromise?

Do I get the ROI from my tools?

What do I need to do with the tools that I already bought to better improve my posture and reduce my exposure against these specific threats?"

So, we consulted with industry experts around each one of those initiatives, and we actually codified and built those initiative templates that help guide you into what you need to do.

So in this case, you can see your score, your maturity score, your secure score.

For business email compromises it's, right now, 80.

Is it good? Is it bad?

It depends, right?

We're also adding benchmark capabilities so you can benchmark against different companies in your industry, in your go location, and so on.

The second thing that we're doing, we created a set of object-driven metrics that we understand very similar to an OKR.

If your objective is to improve business email compromise, these are the key results that you want to improve on.

Customers can actually define the threshold for each one of those metrics.

And the most important thing about it is, for each metric, we're actually assigning a set of recommendations.

If you want to push these metrics up, these are the recommendations, these are the things that you need to do right now in your security tools in order to get better.

HEIKE: And all these recommendations consider all the connector data, as well, right?

So, this is not because I know security recommendations from our Defender Vulnerability Management, and then we can create tickets and whatever.

This is a list including everything that is related to business email compromise?

TOMER: Correct. We're connecting to every security tool, Microsoft and non-Microsoft.

We're pulling the inventory, we're assessing the security control, and we're building recommendations.

We're mapping those two metrics, and we're mapping those to the objective.

Actually, what we did, we took a lot of insights that we got from Microsoft Secure Score customers, when they go into Microsoft Secure Score, they get a list of things they need to do.

One of their challenges was to say, why do we need to do it?

It was hard for them to attach it to a threat.

What we did, we actually turned it around.

Instead of starting with the recommendation, you start with your objective.

If your objective is to reduce your exposure from business email compromise threats, what you need to do is improve these metrics.

How do you improve these metrics?

Do these recommendations.

It's easier to explain why you need to do this, it's easier to to get the buy-in on what to do that, and it's easier to go and communicate to your leadership team and your operations team what they need to do in order to improve it.

All in all, this is a great tool that a lot of our customers adopted in order to improve their threat exposure management.

HEIKE: You just mentioned Secure Score. I almost forgot about it. I realized, I remember when I was thinking

about it. I realized, I remember when I was thinking about this episode, I need to ask, but you just explained the difference.

So it still exists, people can still go there, but you turn it around into a more proactive...

TOMER: Correct. HEIKE: Yeah.

TOMER: Correct. Microsoft Secure Score, it still lives here.

Eventually, it'll become its own initiative.

By definition, Secure Score is an initiative that contains a lot of different worlds.

What we did, we broke it and we also added a lot of threat initiatives.

This is something new that we launched a few months ago, and the idea is that our research team is following a lot of threat actors and a lot of security tools. When

the million-dollar question is asked from the leadership, "How are we protected against Circle Typhoon" [because they saw it everywhere].

A lot of teams start to struggle, pulling all that information.

We already have that for you.

You can actually go inside and understand exactly, "Oh, I have MD and MDI and MDC and MDO?"

These are the things, the more tools that you have, the more controls we assess, the more recommendations, they will see here based on the posture of your tools or based on the exposure of your assets.

So you can actually see these are what you need to do.

In this case, we can see that we're not very good against this actor, and these are the things that you need to do right now in order to improve your posture and increase your score.

In the future, we're going to add the ability to assign an owner and create a subscope.

You can also set a target, and this is becoming a great tool not just for reporting but to track, monitor, govern, and, of course, gamify threat exposure across the organization.

So, you can actually scope it just to a set of assets, assign an owner [John], give it a target (John, your target is to reach 70, here's the set of recommendations and assets, go).

And then, they can come over time, see over time analysis of how they're doing, report it to leadership, see when things break.

One thing I didn't show you is our ability to track history.

So for example, let's say I want to report on my endpoint security program.

I can go and immediately see that I'm improving over time.

HEIKE: Wow. TOMER: And I can actually, because everything is built on top of the graph and we have the state of the assets being monitored continuously, you can actually see the history.

I went over the weekend, it was 75, it dropped to 86. Why?

Can actually go and investigate each one of those drops and understand which metric dropped.

And eventually, I can see exactly which asset changed the state that reduced that metric that eventually dropped that initiative.

So you can go and debug it and of course go find the owner, understand exactly what was added, what was removed, investigate the assets, get all the context from everywhere and complete the end-to-end loop of discover, prioritize, and remediate within the same place.

HEIKE: Wow.

I see all the CISOs now requesting access to the portal and wanting to understand the exposure.

Is this basically also the place where they would go, or would they get a report sent by someone?

Like, what are our customers doing?

TOMER: Yeah, so it really depends.

We have, you know, eventually there's many types of CISOs.

There's the more the executive ones, the more high-level ones, the more technical ones.

Many of the CISOs that we're talking to are actually using these tools day to day because they need to go down to the asset level, understand exactly their problem.

"Hey, I approved this baseline.

Why don't I see it reflected on this asset?"

They get to that level.

The more, I would say, higher level, more kind of a strategic CISO that we're meeting wants more a single number.

This is why a lot of customers really like Secure Score.

It's one number that explains what's going on.

But if you really want the details, if you really want to go to the asset level, this is where you need kind of the Exposure Management.

So the answer is, we're working on both.

CISO solutions--we're working both on, you know, a practitioner solution and a manager solution and eventually exposure management.

It's a question that I've been asked a lot: Where's the persona for exposure management?

And the answer is... HEIKE: It's big.

[both chuckling] TOMER: And the answer is, pretty much everyone in the security team will find value with Exposure Management, the practitioner of each one of the silos, I would say, the high-level architect, they need to look across.

And one of kind of, I would say one of the predictions I had hopefully will manifest in the next couple of years is similar to how XDR formed.

I would say, the SecOp, it's a persona.

It doesn't care whether the alert came from a device, identity email, and so on.

They need to investigate and respond to it.

The same thing will happen in posture.

And today, the posture team I siloed, there's the client team, the server team, the cloud team, the identity team, the OT team, over time, just like posture is consolidated, the team structure will be consolidated and maybe one day we'll see the rise of risk ops, right?

HEIKE: Yeah.

TOMER: The persona that is looking at risk holistically, they don't care whether it's coming from device or cloud.

Their job is to reduce the risk so they won't get bridged.

And I think this is kind of the maturity curve that we're seeing, Attack Path Analysis will help us get there because eventually it stitches multiple domains, clouds, and endpoints, and SaaS together, and it forces us to mobilize different teams from different groups, and eventually that inefficiency of those silos will have to kind of evolve into a unified team.

But, wishful thinking.

We'll see where the industry will lead.

And we're super excited to lead the way with how exposure management should be.

HEIKE: Yeah, but we are back to processes and how customers are using the tools, right?

So, even in the XDR world, we still have customers where they have an endpoint team and an email team and a whatever team, and they're handing alerts from one person to another, and they're still trying to adopt the XDR value of the product.

Tomer, I think there was a lot.

I know we could go on and on and on, but maybe you come back and we talk about something specific in Defender...

Defender. I always say Defender in Exposure Management.

And maybe it'll be called Defender one day.

You know? We never know.

TOMER: Who knows? Who knows? HEIKE: Who knows?

So Tomer, thank you so much for being my expert on today's episode.

And yes, good luck with adding more features and more functionalities and for especially for GA-ing your product.

TOMER: Thank you. Thank you for having me, and I hope everyone will find this capability that we launched useful and that the proactiveness and mindset will start to evolve.

Looking forward to releasing more new capabilities.

Thank you. HEIKE: Yes.

And everybody can just use the public preview.

So go ahead, check it out, and there's feedback buttons all over the place: Use them.

TOMER: Oh yeah, oh yeah, do send feedback.

We have buttons everywhere, requesting new connectors, new initiative, new metrics, issues with reporting inaccuracy.

The feedback matters, and the fact that we have a lot of customers allows us to have a lot of crowd wisdom.

We use that. Thank you.

[both chuckling] HEIKE: And thanks, everyone out there, for watching, and I hope I see you all soon. Bye.

[Show theme music]