There are few Secure Scores across the Microsoft eco-system that provides a score as a percentage, along with recommendations on how to increase the organisations cloud security posture and thus the score. In a sense this is a type of gamification to raise security posture but often feel this is an unwinnable game or ‘Kobayashi Maru’.
Kobiayshi Maru is a training exercise from the Star Trek franchise that was designed for Starfleet cadets as a no-win situation. Captain Kirk famously was the only cadet to defeat the Kobiayshi Maru by changing the rules.
We can’t change the rules of Microsoft’s Security Score, but we can change our thinking about it.
Can we be 100% Secure?
Microsoft Secure Score is a numerical summary of your security posture based on system configurations, user behavior, and other security-related measurements. It isn’t an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your Microsoft environment that can help offset the risk of being breached. No online service is immune from security breaches, and secure score shouldn’t be interpreted as a guarantee against security breach in any manner.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score#risk-awareness
Secure Score is not meant to be 100%, and it is often overlooked that there is a point system behind the percentage.
Security and cloud environments are continuously evolving, and as they do, Microsoft continues to add to the recommendations to Secure Scores which have points attached.
At the same time an organisation is rarely static with new systems being added, new objects to manage and new attack surfaces being created.
As recommendations are added by Microsoft, the total overall points goes up, and as Microsoft scans new systems or objects in an environment, additional points can be added or subtracted to the organisations points achieved.
In risk management an organization can decide whether to accept a risk, avoid a risk, mitigate a risk, or transfer a risk, but one must be aware of the risk to start with. Secure Score can assist with that.
These changes help us get an overall picture of an environment, for us to be aware of changes in both best practice and to the environment itself.
Are there multiple Secure Scores?
There are multiple Secure Scores within the Microsoft ecosystem which can add a level of confusion.
- Microsoft Secure Score – part of Microsoft 365 Defender
- Microsoft Identity Score – part of Microsoft Entra ID (previously Azure AD) and roles up into Microsoft Secure Score
- Secure Score – a feature of Microsoft Defender for Cloud
- Microsoft Secure Score for Devices – part of Microsoft Defender Vulnerability Management
- Microsoft Purview Compliance Manager – not a Secure Score per se, but too similar not to mention.
We explore each Secure Score below.
Microsoft Secure Score – Microsoft 365 Defender
https://security.microsoft.com/securescore
Microsoft Secure Score is a component of Microsoft 365 Defender and that assists with tracking and improving an organisations Security Posture.
Secure Score is calculated based points awarded for the following actions:
- Configuring recommended security features
- Doing security-related tasks
- Addressing the recommended action with a third-party application or software, or an alternate mitigation
Microsoft Secure Score – Included Products
Microsoft Secure Score doesn’t just cover Microsoft products and applications. Currently there are recommendations for the following products:
- App governance
- Microsoft Entra ID
- Citrix ShareFile
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Office
- Docusign
- Exchange Online
- Github
- Microsoft Defender for Cloud Apps
- Microsoft Information Protection
- Microsoft Teams
- Okta
- Salesforce
- ServiceNow
- SharePoint Online
- Zoom
Microsoft Secure Score – Overview Page
Opening Microsoft Secure Score you come to the Overview tab. On the Overview tab you can see Secure Score percentage and the break down between the categories of Identity, Data, Devices (if applicable), and Apps. The Overview page also shows the top Actions to Review and most recent History.
Above the Secure Score you can decide which graphs you wish to show on the overview page.
Hovering over a particular category shows point achieved and the total points available for that category.
Another area of the secure score Overview page that is interesting and oft-over looked is the comparison. This compares your score with that of organisations of a similar size:
There is also a filter button at the top right of the page that allows one to hone into particular categories.
Microsoft Secure Score – Recommended Actions
Clicking through to the recommended Actions (or clicking ‘View All’ under Actions to Review on the Overview page) takes you to the full list of recommended actions. Filtering from the Recommended Actions page is greatly enhanced with the ability to filter by Status, Regression status (has it decreased in score in the last 90 days), Licencing and Products. It’s important to note that if you applied a filter on the Overview page this filter is maintained when going to the Recommended actions page and one has to navigate back to Overview to clear this filter.
Recommended Action – Details Blade
Selecting a recommendation from the Recommended actions page brings up a blade that shows information regarding that specific recommendation.
At the top of the Recommend Actions Details Blade the are arrows to ease navigation through the list.
Depending on the type of recommendation there will show ‘Edit Status & Actions Plan’ or ‘Go to threat and vulnerability management to take action’ and ‘Manage Tags’
Clicking ‘Status and action plan’ you have the option to change the status of the Action from the default of ‘To address’.
The options are as follows:
- Planned would indicate that there is a plan in place to complete the improvement.
- Risk accepted indicates that this particular security control is not suitable for your environment. There is no improvement to the Secure Score but the accepted risk will no long appear on the list of improvements. One can change this status at any time.
- Resolved through third party or Resolved through alternate mitigation can be used if the improvement has been addressed using an internal or third-party tool and the points will be added to your secure score. If this security recommendation is resolved through either of these means, then Microsoft will have no visibility into the completeness of the improvement or changes related to this resolution method.
You will be required to add a Note when accepting risk or alternate remediation methods are used.
‘Go to threat and vulnerability management to take action’ will take you to Defender Vulnerability Management as discussed in more detail below.
Recommended Actions – General Tab
The general tab describes the product affected, category, history but most importantly action that can be taken. If the action isn’t globally added but turned on per object it will show an implementation status.
Recommended Actions – Exposed entities Tab
If the action is based upon devices, then there will be an exposed entities Tab that will list the entities.
Recommended Actions – Implementation Tab
The implementation tab provides detailed information about how to implement the action. The information varies from actions to action with prerequisites, next steps, links to the portal, code samples, and links to Microsoft Learn documentation.
Recommended Actions – History Tab
The history tab shows a graph of the recommendation over time. This can be because setting have changed in the environment; maybe devices have been added to the environment that have issues that require addressing or conversely remediation has taken place and there are improvements to show.
Recommended Actions – Details Blade Footer
At the bottom of the Recommended action tab is a Manage button. The nature of this button varies depending on the product that the Action is related to, but it will redirect you to the appropriate location to start remediation. Also next to the manage button is a Share button that makes communicating the Recommended action to other team members easier.
Microsoft Secure Score – History
The Microsoft Secure Score History Tab shore secure score over time, giving a visual representation of when the score changes and why it changed.
This page has many options with regards filtering, and it is especially worth noting that it can be filtered by Date Rage and the Update Types.
Microsoft Secure Score – Metric and Trends
The Metrics and Trends Tab shows secure score trends over history trends over time. In particular, comparison of with other comparable organisations, regressions and risk acceptance levels.
You can also add Score Zones that you define for your organisation from this blade.
Microsoft Secure Score – Permissions
Until recently one drawback of Secure score was that it required quite privileged permissions.
Read and Write
- Global administrator
- Security administrator
- Exchange administrator
- SharePoint administrator
Read-only
- Helpdesk
- User administrator
- Service support administrator
- Security reader
- Security operator
- Global reader
This has changed recently with the implementation Microsoft 365 Defender Unified role-based access control Full information about (RBAC). With Microsoft 365 Defender Unified role-based access control (RBAC), you can now create custom roles for access to control which users have access to Secure Score data, the products for which they will see Secure Score data, and their permission level to the data without requiring a full Admin level permission.
More information about implementing Microsoft 365 Defender Unified role-based access control (RBAC) can be found here https://learn.microsoft.com/en-us/microsoft-365/security/defender/manage-rbac
For licencing information of Microsoft Secure Score – Microsoft 365 Defender please see Security Score Licencing.
Secure Score for Identity – Microsoft Entra ID
Secure Score for Identity can be found in Microsoft Entra ID in the Azure portal.
It’s useful to notice that this is the same score that filters into Microsoft Secure Score in Microsoft 365 Defender as discussed above. This is as one would expect as Entra ID is where the Identities for M365 are stored. That being said I can’t be sure that other Entra products will record security posture into here in the future and not filter through to Microsoft 365 Defender, but one things this is unlikely. If anyone has any thoughts on that one let me know!
For licencing information of Secure Score for Identity – Microsoft Entra ID please see Security Score Licencing.
Secure Score – Microsoft Defender for Cloud
https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0
In Azure Secure Score can be found under Security posture in Microsoft Defender for Cloud. Defender for Cloud customers have the Microsoft Cloud Security Benchmark (MCSB), formerly known as Azure Security Benchmark, automatically applied to their environments.
As well as monitoring Azure, Microsoft Defender for Cloud Security Posture can be applied to Google Cloud Platform (GCP) and Amazon Web Services (AWS). GitHub and AzureDevOps monitoring are currently in preview.
Microsoft Defender for Cloud offers a foundational cloud security posture management solution to protect across your multi-cloud and hybrid environments. The Foundational CSPM is a free service that provides continuous assessments, security recommendations, Secure Score, and the Microsoft cloud security benchmark across Azure, Amazon Web Services(AWS), and Google Cloud.
From the security posture page one can click through to see recommendations for each environment.
Secure Score – Recommendations
The Secure Score Recommendations tab focuses on the overall security practice in line with best practice and those that will have an effect of increasing the Security Score percentage.
Secure Score – All Recommendations
The ‘All Recommendations’ provides a more exhaustive list of security suggestions that may not directly contribute to the Secure Score but are still valuable for enhancing security.
Secure Score – Recommendation Initiatives
Microsoft Defender for Cloud automatically applies the Microsoft cloud security benchmark. This benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST).
For more info see: https://learn.microsoft.com/en-us/security/benchmark/azure/introduction
To add additional standards one can navigate to settings and the selecting Security Policy.
Secure Score – Remediating Recommendations
Clicking through to a recommendation takes you to the Recommendation page that describes the recommendation, lists related recommendations, details remediation steps, and displays the affected resources.
Also, on the Recommendation page one can Fix Automatically (if possible), Assign an owner of the recommendation and/or set an ETA for the fix.
Secure Score – Over Time
To track the changes to Secure Score in Microsoft Defender for Cloud over time, there is a Log Analytics workbook available for this purpose. To utilise this, you set configure continuous export to send data to a Log Analytics workspace.
For licencing information of Secure Score – Microsoft Defender for Cloud please see Security Score Licencing.
Microsoft Secure Score for Devices
https://security.microsoft.com/tvm_dashboard
Microsoft Secure Score for Devices is part of the Defender Vulnerability Management dashboard of the Microsoft 365 Defender portal.
A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
Like Microsoft Secure Score above there are a lot of options available to filter the recommendation so you can hone into the areas that are of particular significance to you at that time.
Clicking through to an individual remediation provides significant information about the specific remediation option.
Overall the interface has a lot of similarities to the solutions above.
For licencing information of Microsoft Secure Score for Devices please see Security Score Licencing.
Microsoft Purview Compliance Manager
https://compliance.microsoft.com/compliancemanager
Not strictly a ‘Secure Score’ but ‘Compliance Score’ feels so similar it seems worth a mention.
Compliance manager is accessed from https://compliance.microsoft.com/compliancemanager and shows a percentage score that measures your progress in completing actions that help reduce risks around data protection and regulatory standards.
The full list of regulations is listed here: https://learn.microsoft.com/en-us/purview/compliance-manager-templates-list
For more information about Microsoft Purview Compliance Manager please see: Microsoft Purview Compliance Manager | Microsoft Learn
For licencing information of Microsoft Purview Compliance Manager please see Security Score Licencing.
Security Score – Licencing
As we explored Security Scores and seen there are several different Secure Scores within the Microsoft Eco System. Below we detail the licencing requirements options for each one.
Licencing for Microsoft Secure Score – Microsoft 365 Defender
Any of these licenses gives you access to Microsoft 365 Defender features via the Microsoft 365 Defender portal without additional cost:
- Microsoft 365 E5 or A5
- Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
- Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
- Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
- Windows 10 Enterprise E5 or A5
- Windows 11 Enterprise E5 or A5
- Enterprise Mobility + Security (EMS) E5 or A5
- Office 365 E5 or A5
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps or Cloud App Discovery
- Microsoft Defender for Office 365 (Plan 1 or 2)
- Microsoft 365 Business Premium
- Microsoft Defender for Business
Licencing for Microsoft Identity Secure Score – Microsoft Entra ID
Microsoft Identity Secure Score is available to all Microsoft 365 and Office 365 customers.
Licencing for Secure Score – Microsoft Defender for Cloud
Defender for Cloud offers foundational multi-cloud CSPM capabilities for free. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score.
Licencing for Microsoft Secure Score for Devices – Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability is available as a standalone user subscription license for commercial and education customers.
Defender Vulnerability Management is available as an add-on to organizations with:
- Microsoft Defender for Endpoint Plan 2 (standalone)
- Microsoft 365 E5/A5
- Microsoft 365 E5/A5/F5 Security
- Microsoft 365 F5 Security and Compliance add-on
- Windows 11 Enterprise E5/A5
- Windows 10 Enterprise E5/A5
Microsoft Defender for Servers Plan 1 and Defender for Servers Plan 2 also includes access to vulnerability management capabilities.
Licencing for Microsoft Purview Compliance Manager
The Data Protection Baseline is offered to organisations with these licences:
- Microsoft 365 or Office 365 A1/E1/F1/G1
- Microsoft 365 or Office 365 A3/E3/F3/G3
Three additional premium licences and the ability to use customer assessments are available to organisations with these licences.
Final Thoughts
The most important thing I want to stress about the various secure scores is one shouldn’t feel demoralised by only being at a certain percentage, but treat these are powerful tools that allow you to track best practice across a lot of individual tools.
By allocating each remediation item points should help with the prioritization of which actions one should you prioritize? Your individual environment will influence the process that one takes to fix each item and a good change control process is always advisable regardless.
The fact that there are so many remediation items can make one feel overwhelmed an approach that works well is to create ‘sprints’ from Scrum/Agile development methodology. Choosing a number of remediation actions that are to take place over a fixed time period so that the planning and deployment process takes on a rhythm of manageable increments. Security will never be 100%, as security professionals we constantly have to keep up-to-date with changes in the treat landscape and continuously work to keep our environments secure.
The various Secure Score dashboards give us the ability to stay current and take advantage of Microsoft’s understanding of our environments and the shifting treat landscape so that we can be more efficient and achieve more. Secure Score is not designed to make you feel bad, but to help us succeed.
Kobayashi Maru – hahaha – love it. It really does feel like that at times – love the analogy and useful insights. J