How many % should you achieve? 50%? 70%? 90%? 100%?
What is the Microsoft 365 secure score?
But first, the Secure Score is measured in percent calculated by Microsoft after searching through you Microsoft 365 setup. The Secure Score is divided into four categories; Identity, Apps, Data and Devices, so we got a secure score for each of these categories as well.
Before you read any further, I just want to say: Don’t head out to achieve a certain secure score. The score percent in it self can’t tell if you are secure or not. What it can tell us, is how your security is changing from day to day.
So what you should do, is go through the list of recommended actions Microsoft has detected in your tenant. Secure Score can be found here. The actions are ranked from #1 being most critical severity, depending on the risk it poses to your organization. This is not only the severity of a threat, but also takes into consideration how likely are your organization to be infiltrated based on numbers of vulnerable entities.
Recommended actions is a list Microsoft provides with assessment of your Microsoft 365 environment, where it finds weaknesses and recommendations to increase reduce or remediate those weaknesses.
It ranks all recommendation according to your environment, so for this tenant activating MFA authentication for administrative roles will by Microsoft’s calculations increase your security the most. Hence it will increase your secure score the most out of each single recommendation, but this is a numbers game and you will achieve a high score by only mitigating a small set of recommendations.
Detailed information on recommended actions
Open one of the recommended actions and Microsoft provides a detailed description, implementation steps and a history of how the points have changed in regards to this action.
Not all recommendations are described as detailed. But it is getting pretty good and easy to implement using this information, but be aware you need to know your own organization and follow your processes. It might be good security action, but it doesn’t matter if your users and colleagues can’t work after remediation.
I recommend every customer to get through the list of recommended actions, and once done you will have your baseline security score. This baseline security score
Security Operations (SecOps)
When we have the baseline, it is time to look at it from a Security Operations perspective, because the Secure Score is alive. So we need to track this score for two main reasons:
New recommended actions
Microsoft continues to update the list of recommended actions, which not only reduce your secure score if not dealt with, but gives you the change to improve your security further.
All recommended actions is measured by the number of users or devices that is either secure or at risk, which will decrease or increase your secure score. This can be normal behavior during offboarding and onboarding of users and devices. But it can also reveal exceptions, which should be investigated and if possible remediated.
We have an over all secure score and we have a secure score for each four sub-topics. If we follow the over all secure score, it will change if one recommended action is regressed. But not by much, so it doesn’t necessarily visualize the severity correct. Then we look at the four sub-topics, which will be reduced more, because the regressed action will have a bigger impact on this secure score. Then we have to dig deeper into actions, to see which recommended action has been regressed and decide if we need to investigate further.
We can also filter out tasks that have regressed, and continue to operate our security with this list. If any task will regress it will show up in this list.
Microsoft also provides a chart where your over all secure score is compared to tenants with similar number of users and type of licenses. All though, it doesn’t matter that much. Most customer tenants rank higher then compared tenants. We are not all in the same business, so we can’t make the assumption everyone can implement the same recommended actions.
To summarize this blogpost, it does take a while to get through all recommended actions, but it is well worth your time and you have all tools necessary at your fingertips in Microsoft 365. Most of the recommendations will fit your organization, and it will always be a struggle between security and user-friendliness. So it is important to see actions from bought sides, very much depending on your users level of expertise in using computers. Sys Admins and Developers can handle much more security, at cost of user friendly services, compared to non-it-employees.
I will soon follow-up with another blogpost on recommended actions, having a look at the top 10 actions and how I would l judge them. Please follow me on social media or subscribe to my blog to receive a notification when its coming.
And today is December 1st, I wish you all a peace in mind to enjoy the season we have in front of us 🙂