On March 13 at Microsoft Secure 2024, Microsoft pulled back the veil on Copilot for Security. After exactly 1 year of private previews, we finally got a concrete release date (April 1!) and slightly less concrete pricing details. Copilot for Security ushers in the benefits of generative AI into the security space, reducing time to detection, improving analysis results, and generally making life easier on over-burdened security pros.
Table of contents:
In the keynote, Microsoft excitedly shared statistics around substantial improvements for junior security analysts, and slightly more modest improvements for seasoned pros. But the biggest stat on the board was that 97% of those who used Copilot for Security wanted to use it again. That’s substantial, and it wasn’t impacted by experience.
Copilot for Security advances the multi-year improvement in unified incident response in the Microsoft Defender XDR stack, bringing insights from Defender, Purview, Intune, Entra, and other solutions into a single view, with embedded capabilities in each of those point solutions, and more features on the way.
And when I say ‘multi-year’, I mean since 2018, when Microsoft first started reducing the number of screens necessary to handle a security incident. Back in those days, my Security CIE devices had to be configured to launch about 12 dashboards in Internet Explorer just to cover the basics of an attack kill-chain. Now I have 4 that I routinely cover, and you’ve already seen their names in the previous paragraph. That’s huge, and KQL queries in the main Defender dashboard can touch all of it. But while it’s amazing, I’ve tried for years to learn KQL—even attended Microsoft-hosted multi-day training events for it—with no success. Gimme back my DOS & VBScript and get off my lawn!
That may not stop me from chasing security incidents—the new attack story view in Defender XDR is amazing—but it certainly doesn’t help me find information quickly. Microsoft has added KQL query builders to ease that burden, but I still have to know what I’m looking for. Copilot for Security is designed to fill that gap, and can be exposed to a partner thru Lighthouse without any additional licensing…which was the long-missing piece to the Copilot for Security puzzle.
That piece was a little murky until general availability, with pre-release published data stating that capacity was ‘anticipated to be billed monthly via a new Security Compute Unit (SCU) at the rate of $4/hr.’ Notably, that service resides in Azure—not Microsoft 365. Pricing is the same whether customers opt for the standalone (all-encompassing) or embedded (workload-specific) versions.
SCU’s are pay-as-you-go resources and NOT assigned to user-based licensing. Early reports suggest that they must be deleted to stop the billing cycle, and Microsoft has multiple published methods to delete these Azure resources.
Included in the range of solutions covered by both the standalone and embedded versions are a host of Microsoft security solutions, including Sentinel, Defender XDR, Intune, Entra, Purview, and excitingly both of the acquisitions from Risk IQ: Defender Threat Intelligence and Defender External Attack Surface Management, which has been one of my favorite growth spaces for monitoring & reporting.
And speaking of external attack surfaces…
While the whole first half of MS Secure may have been a product launch party for Copilot for Security, it was also a quiet public preview launch for Microsoft’s newest addition to the Defender XDR experience: Exposure Management.
I caught a glimpse of it during the keynote and immediately jumped into a demo tenant and was absolutely flabbergasted at the amount of new data available.
The first thing to note is that the venerable Secure Score posture management tool has been moved into this blade. That’s telling, especially when you consider that it’s been moved OUT OF the incidents, hunting, and actions area. Posture and Exposure are now a holistic conversation in the Defender XDR experience.
So before we dig into it, what exactly is Exposure Management, and why does it matter…now? The blue call-out on the Defender page helpfully explains that it allows you to “centrally assess and manage exposure risk. Discover and monitor assets, get rich security insights, investigate specific risk areas with security initiatives, and track metrics across the organization to improve security posture.” Ok that’s great but why now? For that we have to turn to Gartner, who released this article in August 2023 that introduces the concept of continuous threat exposure management (CTEM).
The article’s teaser image looks a lot like the familiar NIST Cyber Security Framework functions wheel of “Identify, Protect, Detect, Respond, Recover.” I don’t think that’s an accident at all, but where NIST defines the 5 functions as “the highest level of abstraction”, Gartner’s CTEM wheel is much more specifically about identifying and managing risk.
And really, nothing in the article is revolutionary, but rather codifies processes that should be followed to ensure continuous improvements to avoid incidents in the first place.
The first section, “Scoping”, states that traditional vulnerability management isn’t sufficient in a highly-distributed, SaaS-dependent world. We’ve done a great job understanding risks to endpoints, but what about cloud apps and social media accounts? The idea, then, is to move beyond device protections and take a more holistic approach to the organization’s digital footprint.
Discovery, then, builds on scoping, by creating processes for discovering new assets and the risks associated with them. Bringing a new app online? Migrating to a new service? Even the venerable ‘patch Tuesday’ cycle represents opportunities to discover and inventory new risk.
Once discovered and inventoried, though, we must then Prioritize. This is probably the single biggest area where I would encourage organizations to focus, even if they do not implement a full-blown CTEM program. Prioritize threats by the risk they pose to your business and the likelihood of their exploit. There are a lot of factors involved in prioritization, but I’ve seen many security-minded organizations lose valuable time and focus on over-arching goals to chasing 0-day vulnerabilities. Prioritization will help you quickly classify how much effort to spend on mitigating a 0-day, and it might depend on a little overlap with #4:
Validate. You’ve decided to divert man-hours to chase a 0-day because it meets the right priority scores. Great—solid choice. Now…how possible is it really in your environment? How quickly could you respond to a real attack? What would the blast radius be? Is it still at the top of your to-do list after you answer those questions, or is it something that can be addressed thru an existing control?
Mobilize: put those plans into action, through the careful balance of people, processes, and technology (my favorite triumvirate that gets trotted out during every compliance discussion ever!).
And just like the NIST framework wheel, it’s an on-going process.
To be clear, Gartner did not invent the idea. In February 2023, RVAtech held their inaugural CyberConVA conference in Richmond, VA. One of the CISO’s who presented at that event talked at great length about implementing exactly such a program for a very large public company, and older BlueCon keynote videos discuss similar concepts. But those prior references lacked a cohesive name and structure. CTEM, as a process, is therefore simply a codification of existing art converging into the security product portfolio. And now it has a home in the Defender portal!
Exposure Management in Defender is a preview product that is not alone in the CTEM space. Other 3rd party solutions exist with published pricing structures, and we can pull on some of those pricing models to get a sense of what this might cost and how it might be licensed, but interesting to note is that it doesn’t appear to rely on any new tooling—all the data in my Exposure Management dashboard is being provided from existing connections in my Defender XDR, Purview, and Microsoft 365 environment. And because all of that tooling is internal and native to my connected M365 experience, I don’t have to extend my attack surface to an external app to learn about my attack surface.
Beyond the Overview page, which surfaces top elements of the constituent components that we’ll cover next, Exposure Management is broken down into 3 major pillars:
There’s also a 4th blade for Data connectors that will support future growth with 3rd-party integrations, but there’s very little there as of right now.
The first section, Attack surface, comprises a searchable map and attack paths. The map starts by showing your domain name, along with a count of devices, identities, and apps. But you can search for anything and find relationships to explore, like the fact that Carl has used 2 devices, one of which has a high/critical vulnerability, and he is in 20 groups in Entra. Clicking on any entity in the map will surface details that can then be investigated in greater depth by clicking ‘See more details’. In the case of the affected machine, that brings up Defender for Endpoint overview data and a direct link to the device page in that workload.
The ’Attack paths’ page requires defining critical assets and then a bit of patience:
‘Attack surface’ may sound very familiar to those who’ve seen or used Defender External Attack Surface Management (EASM), which is Microsoft’s Azure-based solution for monitoring your exposed digital footprint. EASM uses internet-based listeners to collect data about your publicly-exposed endpoints, websites, certificates, etc, to provide recommendations on how to improve your public-facing attack surface. EASM is aligned to OWASP recommendations and is great at phases 1, 2, and 3 of the Gartner CTEM process. It does not actively probe your public resources, though, and therefore cannot perform validation, and it is not an active remediation tool.
Exposure Management in Defender (still waiting for a cool Defender name for it), however, is built on Defender XDR, and therefore does benefit from Defender XDR’s remediation capabilities. It also benefits from the presence of Copilot for Security’s discovery and validation capabilities. It also (also) benefits from asset classification in Defender, allowing you to define critical assets by device, identity, or app, and using that information to help with discovery and prioritization.
Attack surface reduction is also common parlance in Intune, Defender Vulnerability Management, and Secure Score, and indeed the contents of the Recommendations page come directly from those integrations, and reference back to specific tasks to be completed in Intune.
Digging into the specific layout and nomenclature, note that while Secure Score marks recommendations in terms of “completion”, Exposure Management uses “compliance” verbiage. That’s really interesting, and we’ll talk about why when we get to initiatives! Also note the call-out that Defender CSPM (Defender for Cloud’s step-up SKU) is required for full visibility.
But within the recommendation fly-out for blocking executables we get a lot of information about the severity of the exposure, what workload surfaces and manages the control(s), how many initiatives and metrics will be impacted by change (very similar to Compliance Manager!), and information on remediation steps. Again, all of this data comes directly from Secure Score, so the interface will be extremely familiar.
And I can take this recommendation and share it directly in email or Teams, to either a person, a group, or a channel.
These recommendations may exist and be served up from Secure Score, but in Exposure Management they are sourced from Initiatives, for which there are currently 13 selectable examples (though you can suggest more).
Initiatives are roughly aligned to security frameworks and mitigations of specific threats. This is also fascinating because some of this, like CIS Benchmarks for M365, has previously only been licensed and managed thru Compliance Manager in the Purview portal. That always seemed an odd fit, since Compliance Manager is otherwise generally aligned to regulatory frameworks, and CIS is a best-practices guide.
Picking the Zero Trust (Foundational) initiative, we get an overview of the purpose, top metrics, history, and the ability to set a target score. Note that metrics are tracked by both their current value and the number of recommendations they contain.
Moving to the Security Metrics tab shows all metrics that relate to this initiative. Metrics contain one or more recommendations, so this becomes an interstitial layer between initiatives and recommendations, but one that allows independent weighting score impact by grouping specific recommendations together.
We can dig into any metric, adjust its value, see the state and impact of associated recommendations, and get reporting on affected items—should they exist.
There is a lot of information that is gathered into Exposure Management. Its organization may be novel, and the interface may be in preview, but it isn’t technically new, and it should help any organization that is interested in adopting CTEM move down that path without having to invest in 3rd party products or extend their identity plane.
At the time of this writing, all of the dashboards and interfaces in Exposure Management are in preview and free to use. That price may not survive the transition to general availability, so let’s look at some of the factors that may play a part in determining a commercial pricing structure.
First and foremost: the competition. As mentioned, other solutions exist to help manage your CTEM journey. A cursory search found just a handful with public pricing pages, and seemed to range from under $1000/month to $3000/month, depending on options. Notably, however, most of what I was able to find was licensed per monitored environment, rather than per-admin.
Interestingly, among the competition I have to include Microsoft Purview Compliance Manager, since that’s where the current CIS Benchmarks for M365 & NIST SP 800-207 Zero Trust Architecture assessments reside, and are available for $2500/month.
However, we also have to reference back to that callout that CSPM is required for full visibility. And indeed, the attack paths page, before assets are identified and listed, suggests deploying more Defender suite products, and includes direct links to Defenders for Endpoint, Identity, Vulnerability Management, and Cloud. With those tools as dependencies, we might expect a lower price-point for this product, since the bar to entry is already fairly high with other Microsoft licensing? If we do get a lower price-point, it will become an enticing proposition to move from managing CIS & Zero Trust in premium Compliance Manager templates to Exposure Management.
The final piece of evidence for potential pricing is the fact that Secure Score has been moved into this new blade. When Microsoft released Secure Score, they did so with the promise that it would always be free. It would certainly be exciting to see all of Exposure Management added to the existing Defender XDR solution as a free extension to organizational security postures!
I’ve mentioned several times that Microsoft’s CTEM solution draws its data from other products in the Defender portfolio, and how there is similarity with the capabilities of Defender EASM. Whereas EASM uses internet listeners to detect public-facing devices, Exposure Management can be configured to detect those devices as identified by Defender for Endpoint. I would expect a significant overlap between those lists, and that might encourage some to look past EASM, but I would strongly advise considering Defender EASM as part of your overall CTEM solution because of its strong cryptography focus and ability to detect unknown devices that may not be under management.
After all, the point of CTEM is to remain proactive in managing your overall attack surface—not just managing assets you already know about. And while devices comprise a significant part of that surface, many orgs are unaware of the risks of expired or broken cryptography, which OWASP tracks as #2 on their top 10 list of web app security risks.