​Microsoft service will judge your Office 365 security

What's your Office 365 Secure Score? Credit: Microsoft

Microsoft has launched the preview of a new security analytics service called Office 365 Secure Score, which tells enterprise admins how exposed they are to hacker risks.

Not all risks to corporate data stem from the latest zero-day affecting software. Some risks, which Secure Score aims to help with, can also be traced back to a lack of security and access controls, such as the use of multi-factor authentication (MFA) on privileged accounts.

Helpfully, Secure Score doesn’t just spell out how good or bad your security it is, but will also offer advice on how to reduce risks by activating the right security controls. Microsoft says its scoring system incorporates 77 such controls, each of which attracts a certain number of points. The service measures how many of these recommended controls have been adopted to tally up a total single score.

However, as a preview, it appears some of the finer details of generally applicable secure score card still need ironing out. As Microsoft notes, some of the security controls are so “aggressive” they may harm worker productivity, so the goal isn’t necessarily to achieve a perfect score but rather to balance risks with productivity. The score however is meant to incentivise action by ‘gamifying’ security.

Microsoft says it wanted to find an alternative model for Office 365 organisations to evaluate their risk, as well as enabling gradual improvements to the risk management program.

“The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time,” Microsoft said in its announcement.

The score also won’t give any indication of the chances an organisation will be hacked, but nonetheless should help organisations adopt measures that counter the risks of a breach.

“No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way,” Microsoft notes.

The risk assessment component of the report explains what threats can be mitigated by taking Microsoft’s recommended actions. These risks might include an account breach, an elevation of privilege, or data exfiltration. The service also offers a detailed summary of each risk, including the impact, likely and possible attack vectors, and common weaknesses related to specific architectures.

Continuing with the game-inspired approach, users of the scoring system will be able to compete their results with the average from ever other Office 365 customer score. How useful this compare feature is remains to be seen. Microsoft notes that average points across the board may be higher than a particular user can achieve due to points associated with controls linked to services a user hasn’t purchased. Presumably Microsoft could in future separate these average scores into different groupings with similar traits.

During the “take action” stage, the Secure Score application offers a slider bar, which displays what actions would need to be taken in order to move from the user’s current score to a desired score. These actions might include enabling MFA for different groups. Microsoft will also explain why each control would be effective at mitigating a particular risk. For example, in the case of enabling MFA, it will say how many admin accounts don’t have MFA enabled and explains that breach of any of those accounts could expose data.

The Secure Score system will also explain exactly what the admin is about to unleash on users if a certain action is taken. Microsoft is planning to allow admins to simply click “launch now” to activate changes right from Secure Score, however for now these steps are handled in a separate security centre.

Finally, Microsoft has thrown in a pretty graph tool to make communications with business execs and the board a easier to understand, and hopefully, to show off progress made over time. The Secure Score performance view can be adjusted between the past week to the past year and compares that with the industry average.

Ahead of the general release of Office 365 Secure Score, Microsoft is planing to make several improvements to the remediation experience, and add new measurements.

Join the CSO newsletter!

Error: Please check your email address.

Tags Office 365Microsoftzero dayAccount breachesMFASecure scoreIT managementcyber security

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts