rcegan

A few months with Defender EASM

Published on

I've spent the last few months of my free time tinkering with Defender EASM as well as implementing it in a couple different environments. I've summised the good and bad points at a high level, and offered my final thoughts as the product sits at the end of 2022.

The Good

EASM is still really cool tech, and in the real world (as compared with other tools) does an excellent job at discovering additional domains via a combination of keyword searching, IP and IP block discovery, Whois lookups, individual contacts (The individual people registering domains) and more.

The out of the box dashboards are helpful, with quality, high-value insights organised by CVE severity to assist in prioritising remediation efforts for your security teams. The visualisations themselves are solid, providing some good eye-candy for the exec teams and managers who need to be across these efforts and approve the hefty time/costs associated with a vulnerability management programme.

The inventory provides a fantastic overview of all the assets with customisable filters to help narrow down your results. While early days, this experience could do with an 'export to CSV' button and perhaps a Log Analytics integration for building custom KQL queries (I'll touch on that again shortly). The inventory can be queried through a REST API, which, depending on your workflow, could be massively helpful.

In classic Microsoft fashion, the documentation is also really solid. For a product that has only been on the block for a short time, what few features there are, they're at the very least well documented. Kudos to the dev team as usual here.

The Bad

Going into it though, you need to set your expectations accordingly. EASM is early days - in fact, at time of writing, the product is only ~two months old. It's also not cheap. Depending on the size of your org and your internet footprint, your costs can balloon astronomically with no easy way of reducing costs beyond deleting the whole solution from your tenant. This is a major issue and has on one occassion prevented a deployment of the product altogether. Luckily, there is a 31 day free-trial you can use to get an idea of how much it'll cost before you incur that massive bill.

Assuming cost isn't an issue, say your org has a smaller internet footprint, or they're heavily invested in Azure/M365 already and has a fat wallet, then there are still some pitfalls to be aware of:

  • No dashboard customisation - what you see is what you get.
  • No out-of-the-box Sentinel integration. This means no ability to query or build advanced visualisations using KQL.
  • Very little integration with the rest of Defender
  • No support for creating remediation tasks in other platforms like Endpoint Manager/Defender for Cloud

It's safe to say that these features will come eventually, and like we've seen with Sentinel, Microsoft are more than capable of developing and pushing features like these quickly. But, as things stand right now, it's very barebones for what you'll be paying.

Final Thoughts - End of 2022

All of that said, we've got the bones of a great offering from Microsoft that is aiming squarely at the competition. If Microsoft can keep the development speed up like we've seen with Sentinel and other Defender services, by EOY 2023, I'm hopeful that most of the bad is cleared up. At this stage, I couldn't recommend deploying EASM in its current state, nor would I recommend deploying a solution on the hope that it gets better in the future. For folks running Azure and Sentinel, give EASM a pass until the integrations are in place.