Microsoft Secure Score (MSS) is a free security tool that every business can use to get a greater understanding and improve its security position against today’s advanced threats. Microsoft Secure Score is designed to help you understand your security position and give you the advice on what controls you should consider when trying to understand how your score compares to other businesses.
MSS helps identify measures you can take to reduce the attacks on Office 365 and Windows. By providing a score, the tool targets your success and progress in potential security issues.
Securing the Functionality
When businesses migrate more workloads to the cloud, it is vital to ensure any resources in the public cloud are secured by sticking to the industry standards and best practices. While businesses may have existing solutions for their on-site environment as security differs compared to the cloud. The Secure Score functionality is to provide your business with a measurement that helps understand your current security position as well as the steps you can take to improve your security positioning. Microsoft Secure Score assesses your work environment as you take actions to increase your security positioning or implement new resources which will be reflected in your Secure Score.
How it works
You’re given points for the following actions:
- Configuring recommended security features
- Doing security-related tasks
- Addressing the improvement action with a third-party application or software, or an alternate mitigation
Some improvement actions only give points when fully completed. Some give partial points if they’re completed for some devices or users. If you can’t or don’t want to enact one of the improvement actions, you can choose to accept the risk or remaining risk.
If you have a license for one of the supported Microsoft products, then you’ll see recommendations for those products. This way, you can understand security best practices and improve your score. Your absolute security posture, represented by Secure Score, stays the same no matter what licenses your organisation owns for a specific product.
Keep in mind that security should be balanced with usability, and not every recommendation can work for your environment.
Your score is updated in real time to reflect the information presented in the visualisations and improvement action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
How actions are scored
Each action is worth 10 points or less and scored in a binary fashion. If you implement the improvement action such as creating a new policy or turn on a specific setting, you get 100% of the points. For other improvement actions, points are given as a percentage of the total configuration.
For example, an action may state that 10 points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so you would get a partial score of 5 points (50 protected / 100 total * 10 max pts = 5 pts).
Products included in Secure Score
Currently there are recommendations for the following products:
- Microsoft 365 (including Exchange Online)
- Azure Active Directory
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Defender for Cloud Apps
- Microsoft Teams
The recommendations won’t cover all the attack surfaces associated with each product, but they’re a good baseline. You can also mark the improvement actions as covered by a third party or alternate mitigation.
Microsoft Secure Score has updated improvement actions to support security defaults in Azure Active Directory, therefore making it easier to help protect your business with pre-configured security settings for common attacks.
If you turn on security defaults, you’ll be awarded full points for the following improvement actions:
- Ensure all users can complete multi-factor authentication for secure access (9 points)
- Require MFA for administrative roles (10 points)
- Enable policy to block legacy authentication (7 points)
Microsoft Secure Score is a statistical review of your security posture based on system configurations, user behaviour, and other security-related measurements. It isn’t an absolute measurement of how your system or data will be breached.
Rather, it represents the extent to which you have adopted security controls in your Microsoft environment that can help balance the risk of being breached. No online service is immune from security breaches, and secure score shouldn’t be interpreted as a guarantee against security breach in any manner.
Discover how you can elevate your Microsoft 365, Azure and Dynamics 365 posture with our Cloud Security Review – hosted by Ian Stretton, Cloud Transformation Director at risual.
This is an entirely FREE 1:1 consultancy session to have your security posture reviewed, opportunity to learn, discuss and receive valuable recommendations tailored to your organisation.
Register your interest and we will be in touch to book your session: Workshop: 1:1 Security and Compliance workshop – risual
Reference: Taken from Jennifer Kendall’s blog A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture – Microsoft Security Blog