Microsoft has launched the preview of a new security analytics service called Office 365 Secure Score, which tells enterprise admins how exposed they are to hacker risks.
Not all risks to corporate data stem from the latest zero-day affecting software. Some risks, which Secure Score aims to help with, can also be traced back to a lack of security and access controls, such as the use of multi-factor authentication (MFA) on privileged accounts.
Helpfully, Secure Score doesn’t just spell out how good or bad your security it is, but will also offer advice on how to reduce risks by activating the right security controls. Microsoft says its scoring system incorporates 77 such controls, each of which attracts a certain number of points. The service measures how many of these recommended controls have been adopted to tally up a total single score.
However, as a preview, it appears some of the finer details of generally applicable secure score card still need ironing out. As Microsoft notes, some of the security controls are so “aggressive” they may harm worker productivity, so the goal isn’t necessarily to achieve a perfect score but rather to balance risks with productivity. The score however is meant to incentivise action by ‘gamifying’ security.
Microsoft says it wanted to find an alternative model for Office 365 organisations to evaluate their risk, as well as enabling gradual improvements to the risk management program.
“The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time,” Microsoft said in its announcement.
The score also won’t give any indication of the chances an organisation will be hacked, but nonetheless should help organisations adopt measures that counter the risks of a breach.
“No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way,” Microsoft notes.
The risk assessment component of the report explains what threats can be mitigated by taking Microsoft’s recommended actions. These risks might include an account breach, an elevation of privilege, or data exfiltration. The service also offers a detailed summary of each risk, including the impact, likely and possible attack vectors, and common weaknesses related to specific architectures.
Continuing with the game-inspired approach, users of the scoring system will be able to compete their results with the average from ever other Office 365 customer score. How useful this compare feature is remains to be seen. Microsoft notes that average points across the board may be higher than a particular user can achieve due to points associated with controls linked to services a user hasn’t purchased. Presumably Microsoft could in future separate these average scores into different groupings with similar traits.
During the “take action” stage, the Secure Score application offers a slider bar, which displays what actions would need to be taken in order to move from the user’s current score to a desired score. These actions might include enabling MFA for different groups. Microsoft will also explain why each control would be effective at mitigating a particular risk. For example, in the case of enabling MFA, it will say how many admin accounts don’t have MFA enabled and explains that breach of any of those accounts could expose data.
The Secure Score system will also explain exactly what the admin is about to unleash on users if a certain action is taken. Microsoft is planning to allow admins to simply click “launch now” to activate changes right from Secure Score, however for now these steps are handled in a separate security centre.
Finally, Microsoft has thrown in a pretty graph tool to make communications with business execs and the board a easier to understand, and hopefully, to show off progress made over time. The Secure Score performance view can be adjusted between the past week to the past year and compares that with the industry average.
Ahead of the general release of Office 365 Secure Score, Microsoft is planing to make several improvements to the remediation experience, and add new measurements.