Source: Eric D ricochet69 via Alamy Stock Photo
Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.
Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.
Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.
"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."
Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.
Unified Views of Attack Surfaces
With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.
"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.
The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.
Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.
"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.
Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.
"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."
Building an Ecosystem of External Connections
While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.
Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.
Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.
"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."
Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."
Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.
The offering now consists of three primary tools:
Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.
"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.