As the digital landscape grows increasingly interconnected, defenders face a critical challenge: the data and insights from various security tools are often siloed or, at best, loosely integrated. This fragmented approach makes it difficult to gain a holistic view of threats or assess their potential impact on critical assets. In a world where a single compromised asset can trigger a domino effect across connected resources, thinking in graphs has become essential for defenders. This approach breaks down silos, allowing them to visualise relationships between assets, vulnerabilities, and threats, ultimately enabling proactive risk management and strengthening their stance against attackers.
Traditional vulnerability management is no longer sufficient. While patching every potential weakness might seem like a solution, it’s neither practical nor effective. Instead, modern security strategies must focus on the exposures that are easiest for attackers to exploit, prioritising vulnerabilities that present the greatest risk. This shift marks the evolution of vulnerability management into what we now call exposure management.
Earlier this year, we launched Microsoft Security Exposure Management in public preview, introducing defenders to powerful foundational capabilities for holistic exposure management. Backed by extensive threat research and Microsoftโs vast visibility into security signals, these tools provide coverage for commonly observed attack techniques. Exposure Management includes Attack Surface Management, Attack Path Analysis, and Unified Exposure Insightsโ solutions that offer security teams unmatched visibility and insight into their risk landscape.
Attack path analysis with recommendations for remediating choke point
Attack Surface Management offers a complete, continuous view of an organisationโs attack surface, enabling teams to fully explore assets, uncover interdependencies, and monitor exposure across the entire digital estate. Central to this is the identification of critical assets, which are often prime targets for attackers. By highlighting these key assets, security teams can prioritise their efforts and better understand which areas require the most protection. By giving security teams a clear map of their exposure points, Attack Surface Management empowers a more informed and comprehensive defense strategy.
Attack Path Analysis takes this a step further, guiding teams in visualising and prioritising high-risk attack paths across diverse environments, with a specific focus on critical assets. This capability allows for targeted, effective remediation of vulnerabilities that impact these key assets, helping to significantly reduce exposure and the likelihood of a breach by focusing on the most impactful pathways an attacker might exploit.
Unified Exposure Insights gives decision-makers a clear view of an organisation’s threat exposure, helping security teams address key questions about their posture. Through Security Initiatives, teams focus on priority areas like cloud security and ransomware, supported by actionable metrics to track progress, prioritise risks, and align remediation with business goals for proactive risk management.
“Exposure Management translates vulnerabilities and exposures into more understandable language about risk and actionable initiatives related to our environment, which helps stakeholders and leadership grasp the impact more clearly.”
– Bjorn Pauwelsย ย Cyber Security Architect Atlas Copco
Throughout the public preview, we collaborated closely with customers and industry experts, refining Microsoft Security Exposure Management based on real-world usage and feedback. This partnership revealed that the biggest challenges extended beyond deploying the right tools; they involved enhancing organisational maturity, evolving processes, and fostering a proactive security mindset. These insights drove strategic enhancements to features and user experience, ensuring the solution effectively supports organisations aiming to shift from reactive to proactive threat management.
For example, several organisations created a ‘RiskOps’ role specifically to champion cross-domain threat exposure reduction, breaking down silos and unifying teams around common security goals. Security Operations (SecOps) teams now report significantly streamlined processes by leveraging asset criticality in incident prioritisation, helping them address the most impactful threats faster than previously possible. Likewise, vulnerability management teams are using enhanced attack map and path analysis features to refine patching strategies, focusing more precisely on vulnerabilities most likely to lead to real risks. These examples underscore Exposure Management’s ability to drive practical, measurable improvements across diverse teams, empowering them to stay ahead of evolving threats with a targeted, collaborative approach to risk management.
Exposure Management enables organisations to zero in on their most critical exposures and act quickly. By breaking down silos and connecting security insights across the entire digital estate, organisations gain a holistic view of their risk posture. This comprehensive visibility is crucial for making faster, more informed decisionsโreducing exposure before attackers can exploit it.
We are excited to announce the general availability of Microsoft Security Exposure Management
ย This release includes several new capabilities designed to help you build and enhance a Continuous Threat Exposure Management (CTEM) program, ensuring that you stay ahead of threats by continuously identifying, prioritising, and mitigating risks across your digital landscape. Global rollout started 19 Nov, 2024 so keep an eye out for Exposure Management in your Defender portal, https://security.microsoft.com
Cyber Asset Attack Surface Management
To help you establish a comprehensive, single source of truth for your assets, we are expanding our signal collection beyond Microsoft solutions to include third-party integrations. The new Exposure connectors gallery offers a range of connectors to popular security vendors.
Data Connectors Gallery: Expanding Visibility Beyond Microsoft Solutions
Data collected through these connectors is normalised within our exposure graph, enhancing your device inventory, mapping relationships, and revealing new attack paths for comprehensive attack surface visibility. Additional insights like asset criticality, internet exposure and business application or operational affiliation are incorporated from the connected tools to enrich the context that Exposure Management can apply on the collected assets. This integrated data can be visualised through the Attack Map tool or explored using advanced hunting queries via KQL (Kusto Query Language).
Device Inventory Reflecting Comprehensive Asset Discovery Sources
External data connectors to non-Microsoft security tools are currently in public preview, we are continuously working to add more connectors for leading market solutions, ensuring you have the broadest possible visibility across your security ecosystem. Discover more about data connectors in our documentation.
Extended Attack Path Analysis
Attack Path Analysis provides organisations with a crucial attackerโs-eye perspective, revealing how adversaries might exploit vulnerabilities and move laterally across both cloud and on-premise environments. By identifying and visualising potential paths โ from initial access points, such as internet-exposed devices, to critical assets โ security teams gain valuable insight into the paths attackers could take, including hybrid attack paths that traverse cloud and on-prem infrastructure.
Microsoft Security Exposure Management addresses the challenge of fragmented visibility by offering defenders an integrated view of their most critical assets and the likely routes attackers might exploit. This approach moves beyond isolated vulnerabilities, allowing teams to see their environment as a connected landscape of risks across hybrid infrastructures, ultimately enhancing their ability to secure critical assets and discover potential entry points.
We are excited to update on our solutionโs latest enhancement, which includes a high-level overview experience, offering a clear understanding of top attack scenarios, entry points, and common target types. Additionally, Exposure Management highlights chokepoints with a dedicated experience โ these chokepoints are assets that appear in multiple attack paths, enabling cost-effective mitigation. Chokepoints also support blast radius querying, showing how attackers might exploit these assets to reach critical targets.
The new Blast Radius Analysis feature enables users to understand how chokepoints can lead to critical assets.
In addition, we are adding support for new adversarial techniques including:
- DACL Support: We now include Discretionary Access Control Lists (DACLs) in our attack path analysis, through which more extensive attack paths are uncovered, particularly those that exploit misconfigurations or excessive permissions within access control lists.
- Hybrid Attack Paths: Our expanded analysis now identifies hybrid attack paths, capturing routes that originate on-premises and extend into cloud environments, providing defenders with a more complete view of potential threats across both infrastructures.
An attack path bridging on-premises and cloud environments (cross-domain).
In essence, attack path management allows defenders to transform isolated vulnerabilities into actionable insights across hybrid infrastructures. This comprehensive perspective enables security teams to shift from reactive to proactive defense, strengthening resilience by focusing on the most critical threats across their entire environment.
Unified Exposure Insights
With Microsoft Security Exposure Management, organisations can transform raw technical data into actionable insights that bridge the gap between cybersecurity teams and business decision-makers. By offering clear, real-time metrics, this platform answers key questions such as “How secure are we?”, “What risks do we face?”, and “Where should we focus first to reduce our exposure?” These insights not only provide a comprehensive view of your security posture but also guide prioritisation and remediation efforts.
To help your organisation embrace a proactive security mindset, we introduced Security Initiativesโa strategic framework to focus your teams on critical aspects of your attack surface. These initiatives help teams to scope, discover, prioritise, and validate security findings while ensuring effective communication with stakeholders. Now, we are enhancing these capabilities to offer even greater visibility and control.
The expanded initiative catalog now features new programs targeting high-priority areas like SaaS security, IoT, OT, and alongside existing domain and threat-focused initiatives. Each initiative continues to provide real-time metrics, expert-curated recommendations, and progress tracking, empowering security teams to drive maturity across their security programs. With this expanded toolset, organisations can further align their security efforts with evolving risks, ensuring a continuous, dynamic response to the threat landscape.
- SaaS Security Initiative (Powered by Microsoft Defender for Cloud Apps): Effective SaaS posture management is essential for proactively preventing SaaS-related attacks. The SaaS Security initiative delivers a comprehensive view of your SaaS security coverage, health, configuration, and performance and consolidates all best-practice recommendations for configuring SaaS apps into measurable metrics to help security teams efficiently manage and prioritise critical security controls.
To optimise this initiative, activate key application connectors in Defender for Cloud Apps, including Microsoft 365, Salesforce, ServiceNow, GitHub, Okta, Citrix ShareFile, DocuSign, Dropbox, Google Workspace, NetDocuments, Workplace (preview), Zendesk, Zoom (preview), and Atlassian.ย For more information, check out https://aka.ms/Ignite2024MDA
- OT Security Initiative (Powered by Microsoft Defender for IoT):
The convergence of Operational Technology (OT) and Information Technology (IT) has transformed industries worldwide, but it has also introduced significant new security challenges, particularly for industrial operations and critical infrastructure. The modern threat landscape, now accelerated by the growing capabilities of AI, demands specialised security solutions for these sensitive environments.The OT Security Initiative addresses these challenges by providing practitioners with a comprehensive solution to identify, monitor, and mitigate risks within OT environments, ensuring both operational reliability and safety. By leveraging Microsoft Defender for Endpoint discovery, the initiative offers unified visibility across enterprise and OT networks, empowering organisations to identify unprotected OT assets, assess their risk levels, and implement security measures across all physical sites. - Enterprise IoT Security Initiative (Powered by Microsoft Defender for IoT):
This initiative delivers comprehensive visibility into the risks associated with IoT devices within the enterprise, enabling organisations to assess their resilience against these emerging threats. As IoT devices frequently connect to endpoints, one another, or the internet, they become prime targets for cyberattacks. Therefore, businesses must continuously monitor the security of these devices, tracking their distribution, configuration, connectivity, exposure, and behavior to prevent the introduction of hidden vulnerabilities. By leveraging this initiative, organisations can proactively manage IoT risks and safeguard their digital landscape.
Proactively understand how system updates affect scores
The new versioning feature offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and updated metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs.
Version update summary shows changes to scores
Exposure History
With the new history-reasoning feature, users can investigate metric changes by reviewing detailed asset exposure updates. In the initiative’s history tab, selecting a specific metric now reveals a list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time.
Unified Role-Based Access Control (URBAC) Support
We are excited to introduce the capability to manage user privileges and access to Microsoft Security Exposure Management through custom roles within the Microsoft Defender XDR Unified Role-Based Access Control (URBAC) system. This enhancement ensures higher productivity and efficient access control on a single, centralised platform.
The unified RBAC permissions model offers administrators an alternative to Entra ID directory roles, allowing for more granular permission management and customisation. This model complements Entra ID global roles by enabling administrators to implement access policies based on the principle of least privilege, thereby assigning users only the permissions they need for their daily tasks.
We recommend maintaining three custom roles that align with organisational posture personas:
- Posture Reader: Users with read-only access to Exposure Management data.
- Posture Contributor: Users with read and manage permissions, enabling them to handle security initiatives and metrics, as well as manage posture recommendations.
- Posture Admin: Users who likely already hold higher-level permissions within the Microsoft Defender portal and can now perform sensitive posture-related actions within Exposure Management experiences.
To learn more about the Microsoft XDR Unified RBAC permissions model, click here.
For more information on Microsoft Security Exposure Management access management with unified RBAC, click here.
How to get Microsoft Security Exposure Management
Exposure Management is available in the Microsoft Defender portal at https://security.microsoft.com.
Access to the exposure management blade and features in the Microsoft Defender portal is available with any of the following licenses:
- Microsoft 365 E5 or A5
- Microsoft 365 E3
- Microsoft 365 E3 with the Microsoft Enterprise Mobility + Security E5 add-on
- Microsoft 365 A3 with the Microsoft 365 A5 security add-on
- Microsoft Enterprise Mobility + Security E5 or A5
- Microsoft Defender for Endpoint (Plan 1 and 2)
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Office 365 (Plans 1 and 2)
- Microsoft Defender Vulnerability Management
Integration of data from the above tools, as well as other Microsoft security tools like Microsoft Defender for Cloud, Microsoft Defender Cloud Security Posture Management, and Microsoft Defender External Attack Surface Management, is available with these licenses.
Integration of non-Microsoft security tools will incur a consumption-based cost based on the number of assets in the connected security tool. The external connectors are currently in public preview, with plans to reach general availability (GA) by the end of Q1 2025. Pricing will be announced before billing for external connectors begins at GA.