11

A Look at Microsoft SecureScoreUsing Your Agency's Microsoft SecureScore to Measure and Communicate Progress to the C-Level

Ed Higgins, CISSP, CISM, CGEITDirector of Security and Compliance

ISF Session: April 23 10:30am - 11:30am

22

• The complexity of communicating to leadership

• Hybrid Cloud Solutions increase complexity and attack surfaces

• New G5/E5 agreement provides numerous options for security professionals working at agencies running Microsoft platform

• Using Microsoft SecureScore as a “Digital Assistant” to your Security Initiatives

Agenda

33

Microsoft 365

4

Microsoft’s Security Focus

5

Microsoft’s Focus on Security

Platform Investment• Microsoft spends $1 billion every year on security research and product development• Microsoft 365, Enterprise Mobility + Security, and Office 365 all include security features

How to Take Advantage of These Features• Understand the security tools and features available• Enabling these features, increases security in increments • Regularly reviewing outputs from these features provides insight

Making sense of all the noise• Microsoft SecureScore is a tool for your administrators• Not just to analyze, but also to implement best practices regarding security

6

What Is Microsoft SecureScore?

Microsoft SecureScore: a built-in security “Digital Assistant”

Continuous security posture feedback and insight for improvement • Gives you advice on controls you can consider• Helps you understand how your score compared to other similar environments• Identify steps to proactively reduce the attack surface for Office 365 and Windows• By providing a score it benchmarks your success and progress in improving your posture

So, let’s jump in and look at how the Microsoft Security Score is calculated

7

How is the SecureScore Calculated?

• Administrators for your Office 365 or Windows Defender Advanced Threat Protection can access SecureScore by navigating to securescore.microsoft.com

• Once logged in, your SecureScore summary is available for you in the top left side of the screen

8

How it’s calculated

• Score is calculated based on the controls you can configure versus what you have configured

• Office 365 score plus Windows score makes up SecureScore

NOTE: You will only see your Office 365 score if you don’t have Windows Defender Advanced Threat Protection

9

The Numerator

• The numerator (highlighted in the yellow box) is the sum of the security controls that you fully or partially meet

10

The Denominator

• The denominator (highlighted in the yellow box) represents the number of points you can earn given the set of features you have available

11

Controlling your Aggression

• Secure Score allows you to benchmark your organization against other similar organizations

• You can also use the slider to adjust the Target Score to different levels; Basic, Balanced, and Aggressive

• The number of Actions required decrease or increase based on the Target Score that you set

12

From Level = “Basic”

• Moving the “Target Score” slider to the left lowers the target Score, and lowers the number of Actions in queue

13

To Level = Aggressive

• Moving the “Target Score” slider to the right raises the target Score, and increases the number of Actions in queue

14

Setting your Goal – Catapult’s Recommended Best-Practice

• Regulated Records = 500+• CJIS, HIPAA, PCI

• Sensitive Records = 450+• PII, Bank Accounts, Tax Information

• Non-Sensitive Records (General Best-Practice) = 300+ • Non-sensitive information, Internal-Only

15

Incorporates Impacts and Costs Analysis

• You can filter controls by action such as User Impact and Implementation Cost • These actions will bring up controls based on how they affect the end users and the

potential cost of enabling these controls

• Once filters are applied, the queue will display the controls that need to be adjusted to fulfill those requirements

• Expand each Action to see a description of the risk that the Action is attempting to mitigate

• Let’s take a look at an example

16

Time to Pick and Choose

• Microsoft SecureScore returns a listing of pragmatic steps that, when performed, will increase your Score

• Each choice varies by the significance of the step

17

Example – the effect of enabling MFA

• The example is an Action for enabling multi-factor authentication for all global admins

• You may already have a third-party solution in place for this, which you have the option of selecting. By adding this third-party action, points will be added to your overall score.

18

Example – the effect of enabling MFA (you can opt-out)

• Alternatively, you can opt out of the Action by selecting “Ignore”, and those points will be removed from your score denominator

19

Example – the effect of enabling MFA (learn more and insight)

• You can select “Learn More” to get an explanation of this option and the impact to your users

20

A Few Important Notes

• All scores will be recalculated and updated on the next-day after implementing suggested changes

• Scores are increased by viewing event logs such as “logins after multiple failures” and “risky sign-ins”

• Using the Score Analyzer at the top of the dashboard helps you track your organization’s score over time vs. the overall Office 365 average for organizations like yours

21

Using Score Analyzer

• Using the Score Analyzer helps you track your organization’s score over time versus the overall Office 365 average for organizations like yours

22

SecureScore - Average and Trend

• The graph (illustrated) can be exported so you can share the progress with the rest of their team

• You can also export the recommended actions list

• Same (as above) for the Control list

23

Summary

• Leveraging Microsoft SecureScore is a useful assistant for any organization’s security practice

• SecureScore provides relevant metrics for communicating progress to executives• Can be used in discussions regarding current state and planned improvements• Illustrate improvement trends over periods of time

• Compared against last year• To show results, from security improvements and initiatives carried out over a period of time

24

Secure Score May 2018 through Aug 2018

25

• Use existing security service to increase score to 230+ by January 2019

• Implement moderate impact controls based on best practices and user adoption

Helps to Establish a Roadmap (example)

26

SecureScore Nov 2018 through Jan 2019

27

Key Recommendations

Quick Wins0-3 Months

• Low user impact• Low to moderate implementation cost

3-6 Months

• Low to moderate user impact• Moderate implementation cost

6 Months and beyond

• Moderate user impact• Low and moderate implementation cost

Assign EM+S E5 License to Admins & Sensitive UsersRefresh or implement company policies for IT Security, Data Handling, Mobile Devices, Retention & ClassificationUser password testing (Attack Simulator)Implement MFA for all Global Admins, utilize lower permissions where possibleDeploy Privileged Identity Management & Cloud App DiscoveryPerform Security Score recommended steps to reach at least 250End-user data handling training for email content Pilot DLP/Encryption and user notification tool-tips for sensitive contentConditional Access policy enforcement to prevent anomalous access, impossible travel, reduce MFA prompts on trusted scenariosDisable unapproved Oauth Trusts by users

Complete gap resolution for NIST 800-53 LowPilot Intune and review compliance policiesAIP ScannerPerform Security Score recommended steps to reach at least 350MFA for all usersProduction Data Governance (Anonymous links, encryption, classification, retention, data loss prevention)

Compliance Assessments for NIST 800-53 LowEnforce Cloud App Security Policy + remediation for all end usersResolve non-compliant mobile devices and enable conditional controls for all users with sensitive data accessPerform Security Score recommended steps to reach at least 450OneDrive / Cloud Storage Adoption & User EducationAzure Information Protection production deploymentLeverage Graph API for threat hunting and issue automation (Spyglass, Phish Hunter, etc.)

28Implement Continuous Improvement Program for Security (Security coaching)

Refresh or implement company policies for IT Security, Data Handling, Mobile Devices, Retention & Classification

Security Roadmap

0-3 Months 3-6 Months 6 Months and beyond

Protect

Detect

Respond

Managed security service : Threat detection

Managed security service : Incident response planning

Establish education program for IT staff and end-users – Data Loss and Phishing is high priority

On-going: Secure Score Monthly Security Assessment

User impact:

Enable MFA and Priv Identity Management for all global admins

Improve O365 Hardening (Score recommendations), Conditional Access controls

Gap Resolution GDPR, Cali Privacy Act

Deploy Conditional Access with Intune

Implementation cost:

Azure Information Protection Production

GDPR / Cali Privacy Act Assessment

Pilot DLP/Encryption and user notification tool-tips

Managed security service : Review security reports at least weekly, Implement Security Alerting

Managed security service: Monitoring, account and credential abuse

OneDrive / Cloud Storage Adoption & User Education

Intrusion Detection: Azure ATP/ATA,CAS Discovery

Data Governance (Anonymous links, classification, retention) & AIP Pilot

ModerateLow

MFA All Users

Enforce governance policies via CAS

Data Loss Prevention Pilot

Azure Security Insights + Incident Automation (Flow)

Automation of Incidents via CAS

Security KPI Tracking

Device Compliance Checks in Conditional Access (All Users)

Pilot IntunePilot Intune and review compliance policies

29

Q & A

Ed Higgins, cissp, cism, cgeitSecurity and Compliance SolutionsCatapult Systems Ed.Higgins@catapultsystems.com