Why Do I Have So Many Secure Scores?
Make use of a score for each area of cloud security.
Microsoft has multiple teams working on different aspects of cybersecurity for their cloud services. This has resulted in 6 different secure scores, which’ll likely leave many cybersecurity analysts wondering what each of them does.
In this blog, we will go over a summary of what each of the secure scores do and what is used to calculate that score. We will also discuss how each of them can be used to gauge your organization’s level of security. For security reasons the example images in this blog are from a test directory.
Microsoft Defender For Cloud Secure Score
The secure score in Microsoft Defender for Cloud is a centralized score that looks over security recommendations across all Microsoft menus. This score is calculated by comparing the settings on resources within a subscription to a set of optimal security settings that are recommended in Microsoft Defender for Cloud.
This score is used to measure the security posture for the entire subscription that it is evaluating. The score can be improved by going over the recommended security changes for resources within the subscription. The Microsoft Defender for Cloud recommendations can be used to help prioritize which settings have the largest impact on the score.
AAD Identity Secure Score
This is a secure score in the Microsoft Active Directory Security menu that measures identity-related risks. It looks across AAD settings and settings in other Microsoft menus related to identity to determine how secure AAD identities are in the cloud environment.
The Identity Secure Score is a measure of the organization’s posture for managing cloud identities. The score can be improved by taking recommended actions like requiring MFA, putting restrictions on service principals, and changing settings on connected domain controllers.
Microsoft 365 Security Secure Score
The Microsoft 365 Security menu has a secure score that takes recommendations from all the Microsoft Defender 365 platforms. This score is calculated using a system that assigns point values for recommendations from different platforms. A high severity recommendation from Defender for Identity would have a higher point value than a low severity recommendation from MCAS.
The score is used to measure the security posture of everything connected to Microsoft Defender 365 products. The score can be improved by following configuration recommendations for each of the connected Microsoft Defender 365 products.
Microsoft Defender for Endpoints (MDE) Organization Exposure Score
In Microsoft Defender for Endpoints the first secure score is the “Organization Exposure Score”. This is one of the more confusing secure scores because users cannot click on it to see more details. This score is calculated based on the recommendations in MDE that have “Organization Exposure Impact”, which are basically vulnerabilities that are affecting the security of the rest of the organization.
This score is used to give a macroscopic view of security implementation across all device connected to MDE. The score can be improved by following the “Top Security Recommendations”, which is a side menu in the TVM dashboard that lists recommendations based on organizational exposure.
MDE Secure Score for Devices
The other type of secure score in MDE is the “Secure Score for Devices”, which is an average of the exposure of connected devices. The score is split into 5 different exposure type categories that security admins can use to determine where the most weaknesses are. The score is calculated based on the average exposure in each category.
This score is used to identify common vulnerabilities on endpoints in the organization’s environment. The score can be improved by selecting any of the categories and implementing the changes in the “Security Recommendations” menu that are filtered by category.
MCAS Cloud Discovery Risk Levels
In the MCAS Cloud Discovery Menu there is a “Risk Levels” section with representations of the app scores and how those scores are distributed in the cloud app environment. The Risk Levels menu does not have its own score, instead it can be adjusted to view different representations of risk scores across the cloud app environment.
This menu is used to see an overview of activity that cloud apps with different security scores are participating in. To improve the ratio of high, medium, and low risk app activity, go through low and medium risk applications to evaluate if they are still needed. The risk scoring in MCAS can also be adjusted in the settings menu of MCAS.
We will continue to share best practices and lessons learned in future posts on using different secures scores in customer environments. The way Microsoft measures security is likely to change in the future, and we plan to stay on top of upcoming security metrics.
In closing, consider these three questions when using different secure scores in your organization:
- Do we understand all of the secures scores with respect to our cybersecurity posture?
- How can we use the various secure scores to evaluate our current security configurations?
- How should we use the current secure score models to inform our security metrics and KPI?