Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
11
A Look at Microsoft SecureScoreUsing Your Agency's Microsoft SecureScore to Measure and Communicate Progress to the C-Level
Ed Higgins, CISSP, CISM, CGEITDirector of Security and Compliance
ISF Session: April 23 10:30am - 11:30am
22
• The complexity of communicating to leadership
• Hybrid Cloud Solutions increase complexity and attack surfaces
• New G5/E5 agreement provides numerous options for security professionals working at agencies running Microsoft platform
• Using Microsoft SecureScore as a “Digital Assistant” to your Security Initiatives
Agenda
33
Microsoft 365
4
Microsoft’s Security Focus
5
Microsoft’s Focus on Security
Platform Investment• Microsoft spends $1 billion every year on security research and product development• Microsoft 365, Enterprise Mobility + Security, and Office 365 all include security features
How to Take Advantage of These Features• Understand the security tools and features available• Enabling these features, increases security in increments • Regularly reviewing outputs from these features provides insight
Making sense of all the noise• Microsoft SecureScore is a tool for your administrators• Not just to analyze, but also to implement best practices regarding security
6
What Is Microsoft SecureScore?
Microsoft SecureScore: a built-in security “Digital Assistant”
Continuous security posture feedback and insight for improvement • Gives you advice on controls you can consider• Helps you understand how your score compared to other similar environments• Identify steps to proactively reduce the attack surface for Office 365 and Windows• By providing a score it benchmarks your success and progress in improving your posture
So, let’s jump in and look at how the Microsoft Security Score is calculated
7
How is the SecureScore Calculated?
• Administrators for your Office 365 or Windows Defender Advanced Threat Protection can access SecureScore by navigating to securescore.microsoft.com
• Once logged in, your SecureScore summary is available for you in the top left side of the screen
8
How it’s calculated
• Score is calculated based on the controls you can configure versus what you have configured
• Office 365 score plus Windows score makes up SecureScore
NOTE: You will only see your Office 365 score if you don’t have Windows Defender Advanced Threat Protection
9
The Numerator
• The numerator (highlighted in the yellow box) is the sum of the security controls that you fully or partially meet
10
The Denominator
• The denominator (highlighted in the yellow box) represents the number of points you can earn given the set of features you have available
11
Controlling your Aggression
• Secure Score allows you to benchmark your organization against other similar organizations
• You can also use the slider to adjust the Target Score to different levels; Basic, Balanced, and Aggressive
• The number of Actions required decrease or increase based on the Target Score that you set
12
From Level = “Basic”
• Moving the “Target Score” slider to the left lowers the target Score, and lowers the number of Actions in queue
13
To Level = Aggressive
• Moving the “Target Score” slider to the right raises the target Score, and increases the number of Actions in queue
14
Setting your Goal – Catapult’s Recommended Best-Practice
• Regulated Records = 500+• CJIS, HIPAA, PCI
• Sensitive Records = 450+• PII, Bank Accounts, Tax Information
• Non-Sensitive Records (General Best-Practice) = 300+ • Non-sensitive information, Internal-Only
15
Incorporates Impacts and Costs Analysis
• You can filter controls by action such as User Impact and Implementation Cost • These actions will bring up controls based on how they affect the end users and the
potential cost of enabling these controls
• Once filters are applied, the queue will display the controls that need to be adjusted to fulfill those requirements
• Expand each Action to see a description of the risk that the Action is attempting to mitigate
• Let’s take a look at an example
16
Time to Pick and Choose
• Microsoft SecureScore returns a listing of pragmatic steps that, when performed, will increase your Score
• Each choice varies by the significance of the step
17
Example – the effect of enabling MFA
• The example is an Action for enabling multi-factor authentication for all global admins
• You may already have a third-party solution in place for this, which you have the option of selecting. By adding this third-party action, points will be added to your overall score.
18
Example – the effect of enabling MFA (you can opt-out)
• Alternatively, you can opt out of the Action by selecting “Ignore”, and those points will be removed from your score denominator
19
Example – the effect of enabling MFA (learn more and insight)
• You can select “Learn More” to get an explanation of this option and the impact to your users
20
A Few Important Notes
• All scores will be recalculated and updated on the next-day after implementing suggested changes
• Scores are increased by viewing event logs such as “logins after multiple failures” and “risky sign-ins”
• Using the Score Analyzer at the top of the dashboard helps you track your organization’s score over time vs. the overall Office 365 average for organizations like yours
21
Using Score Analyzer
• Using the Score Analyzer helps you track your organization’s score over time versus the overall Office 365 average for organizations like yours
22
SecureScore - Average and Trend
• The graph (illustrated) can be exported so you can share the progress with the rest of their team
• You can also export the recommended actions list
• Same (as above) for the Control list
23
Summary
• Leveraging Microsoft SecureScore is a useful assistant for any organization’s security practice
• SecureScore provides relevant metrics for communicating progress to executives• Can be used in discussions regarding current state and planned improvements• Illustrate improvement trends over periods of time
• Compared against last year• To show results, from security improvements and initiatives carried out over a period of time
24
Secure Score May 2018 through Aug 2018
25
• Use existing security service to increase score to 230+ by January 2019
• Implement moderate impact controls based on best practices and user adoption
Helps to Establish a Roadmap (example)
26
SecureScore Nov 2018 through Jan 2019
27
Key Recommendations
Quick Wins0-3 Months
• Low user impact• Low to moderate implementation cost
3-6 Months
• Low to moderate user impact• Moderate implementation cost
6 Months and beyond
• Moderate user impact• Low and moderate implementation cost
Assign EM+S E5 License to Admins & Sensitive UsersRefresh or implement company policies for IT Security, Data Handling, Mobile Devices, Retention & ClassificationUser password testing (Attack Simulator)Implement MFA for all Global Admins, utilize lower permissions where possibleDeploy Privileged Identity Management & Cloud App DiscoveryPerform Security Score recommended steps to reach at least 250End-user data handling training for email content Pilot DLP/Encryption and user notification tool-tips for sensitive contentConditional Access policy enforcement to prevent anomalous access, impossible travel, reduce MFA prompts on trusted scenariosDisable unapproved Oauth Trusts by users
Complete gap resolution for NIST 800-53 LowPilot Intune and review compliance policiesAIP ScannerPerform Security Score recommended steps to reach at least 350MFA for all usersProduction Data Governance (Anonymous links, encryption, classification, retention, data loss prevention)
Compliance Assessments for NIST 800-53 LowEnforce Cloud App Security Policy + remediation for all end usersResolve non-compliant mobile devices and enable conditional controls for all users with sensitive data accessPerform Security Score recommended steps to reach at least 450OneDrive / Cloud Storage Adoption & User EducationAzure Information Protection production deploymentLeverage Graph API for threat hunting and issue automation (Spyglass, Phish Hunter, etc.)
28Implement Continuous Improvement Program for Security (Security coaching)
Refresh or implement company policies for IT Security, Data Handling, Mobile Devices, Retention & Classification
Security Roadmap
0-3 Months 3-6 Months 6 Months and beyond
Protect
Detect
Respond
Managed security service : Threat detection
Managed security service : Incident response planning
Establish education program for IT staff and end-users – Data Loss and Phishing is high priority
On-going: Secure Score Monthly Security Assessment
User impact:
Enable MFA and Priv Identity Management for all global admins
Improve O365 Hardening (Score recommendations), Conditional Access controls
Gap Resolution GDPR, Cali Privacy Act
Deploy Conditional Access with Intune
Implementation cost:
Azure Information Protection Production
GDPR / Cali Privacy Act Assessment
Pilot DLP/Encryption and user notification tool-tips
Managed security service : Review security reports at least weekly, Implement Security Alerting
Managed security service: Monitoring, account and credential abuse
OneDrive / Cloud Storage Adoption & User Education
Intrusion Detection: Azure ATP/ATA,CAS Discovery
Data Governance (Anonymous links, classification, retention) & AIP Pilot
ModerateLow
MFA All Users
Enforce governance policies via CAS
Data Loss Prevention Pilot
Azure Security Insights + Incident Automation (Flow)
Automation of Incidents via CAS
Security KPI Tracking
Device Compliance Checks in Conditional Access (All Users)
Pilot IntunePilot Intune and review compliance policies
29
Q & A
Ed Higgins, cissp, cism, cgeitSecurity and Compliance SolutionsCatapult Systems [email protected]