Articles, Blog

Using Microsoft Secure Score to harden your security position

October 21, 2019

[MUSIC]>>How is the morning
going so far, good? Few people are still coming
in. My name is Jason Wilson. I’m a Product Manager for
Microsoft 365 Security. Thanks for coming to
learn how to harden your security posture with
Microsoft Secure Score. I have to admit this is
a larger room than I was expecting. When I was walking over here I saw this small breakout rooms and
I’m like all right I got this. I got this. Then I
walk in I’m like crap. But, anyway it’s great having
all of you in here today. So I’m going to do the whole show of hands thing, various
non-scientific polling. So how many people
know of Secure Score? Out of the whole bunch how many
people actively use it? All right. Way less than the people
who know about it. Of the people who use it, do you like it and be
honest? All right. Way less than the people
who use it. All right. Hopefully there are a lot of product improvements
happening and we’re building a lot more across integrations
with other Microsoft products. Also, who works in Compliance? Oh! It’s okay. I’m a former Compliance guy
with US government and I think Compliance is sexy.
Not many people do. Everyone else just IT, IT Admins, Security Admins, SecOps, Analysts, raise your hand if you’re
included in. All right. I’ll stop with the hands thing.
Thank you very much though. So when it comes to, so every year Microsoft puts out the security intelligence
report that sort of outlines for the industry
or multiple industries, what are some of the general threat
trends that we’re seeing? Over the past few years we’ve
noticed three major trends. I mean it’s going to
be really obvious but the three trends are
identity-based attacks of course. The target is information and the attacks themselves
are automated attacks. Increasingly we’re seeing that. So the first thing is, with
identity-based attacks, they’re up. Last year they were
up 300 percent and of the major incidences that broke the threshold of
actually being a true breach, 81 percent were caused by
compromised credentials. Identity is the essential
security control plan and so once people get
compromised credentials they can obviously laterally move
through your environment and establish Dominance and eventually go after
whatever they want. Most of the time it’s
the second trend. It’s information. Gone are the days of
the hackers crackers and script kiddies sort of like doing things for like fandom notoriety. It’s now more targeted approach to gaining access to sensitive data, companies’ sensitive information. They’re using tools that are increasingly automated or
just automated which are bombarding security SecOps Analysts at a velocity that they’re
not able to handle. I mean a single human or group
of humans using tools that are
manual or multiple tools across multiple vendors
trying to- they are being bombarded with
alerts, false alerts. All these attacks constantly. It’s hard to keep up. So it’s making security management
and SecOps extremely difficult. So at Microsoft we define sort of the Security Management
as safe if you will base on those four
resources: identity, devices or your endpoints, data and Apps and
your infrastructure. Which underlying that in
security personal management are three key components
or core values. You need visibility. So you need to understand what
your current state is and what the risk is across all your resources and how
possibly you can mitigate it. Your controls. You have to understand what controls you have deployed and what security state that you
exist in at t zero time zero. Then furthermore, as there’s
sort of security controls: be it ISO 27001 or NIST 800-53
red four now, about three red F5. They’re changing faster
than they used to. So, what you need is
guidance to how to elevate your score based on your
industry because it’s not all industries have the same sort
of guiding controls. Which is why we created
Microsoft Secure Score. So it provides rich insights into your current security posture
through an easy to use user interface and as well as guidance on how you can go from
point A to point B to C to D, wherever you need to go in order
to fully secure your environment. All right so let’s set the stage
for what goes into Secure Score? It originally started in 2017 and it’s just aimed
solely at Office 365. So there’s only
collecting Telemetry from Office 365 but we expanded it to include Windows 10 data
through Windows Defender, ATP or Advanced Threat Protection and now we also include Telemetry from Enterprise Mobility and Security including MCAS through
Microsoft Cloud Security, Azure AD, and Intune, and more are coming this year. So currently based on all that 89 controls is sort of our current baseline but
we’re adding to it every month. So, Secure Score is
comprised of two numbers. So you have your current score
based on the controls that you have deployed currently out of the total controls
that you could deploy. The score is based on
sort of what you own. So if you if you own Office 365 E3, it’s based on that. It could be completely
different, for example, if you’re using Microsoft 365 E5. So that score is going to
change based on what you’re on. Another great feature is sort
of this Historical Data. So like whether you’re being audited or whether you want
to demonstrate that, ”Hey boss I shake it arrays. Look at all the good I do.” From point A to Z and we’re able to see sort of this trend line
and there are also, you can also there it is. So, you can provide a more detailed view and I’m
going to do a live demo of this. So it’s not going to just be
completely slide where I promise. You’re going to be able to
select a snapshot in time and you’re able to export it to
whatever file format you want, for a presentation, for
other analytics through like export it into a CSV etc. Another important thing. So here’s how you can compare
your score to the total amount of users that use Secure Score that at least have telemetry
of being reported in. You’re also able to determine where you are positioned vis-a-vis
the size of organization. So if you’re a 500 user organization, you’re not going to look the same
or you’re not going to aim for the same type of score as if you’re a 10 to 15 to 100,000
active user organization. Another thing, it’s super important, no industries are the same
and so you’re able to select what industry you’re currently
operating in and you can compare whether or not
you’re better than your peers, you are not better than your peers, it’s competition all of a sudden. But it’s important to see. If you’re way low, maybe you have a lot more to do and if you’re way over the threshold, maybe you’re being too aggressive
with your security controls. Or maybe that’s exactly how
you like it. So guidance. So as everything is
changing and maybe you’re a startup or maybe you don’t
even know where to go next. What Secure Score does, it allows you to model your ideal score and there
are three thresholds. So it’s basic, balance, so you’re balancing between end-user productivity and security and then the other setting
is aggressive. So there’s a slider that you can
just slide all the way up and down based on what you’re
trying to model your score on. Then, you’re able to based
on say if your current score was 220 and you model it and you’re I want to be there,
somewhat balanced. It populates a list of controls that you either have currently
active or controls you don’t have active that you can
easily activate through the Secure Score portal
and then it adjust accordingly based on whether
or not you actually go through that action and activate
certain policy controls. It does however, it’s not immediate, it does take about
24 hours and it’s updated every morning at 1:00 AM
Pacific Time in the US. Oh, I already just talked about that. Yeah, so you’re able to then see
when you click “Learn more”, it pops up, it doesn’t on
the slide but I’ll show you guys. So you’re able to learn more how you can do it natively
through Microsoft, you’re able to ignore it. So if the control itself
isn’t really relevant, when you click “Ignore”, it removes that from
your denominator, your total score, your target score and
then if you’re say using a Third Party application that
satisfies a certain control need, the GDPR, HIPAA, NTIS, etc, then you are able to
enter that in and say provide explanation I’m using application x and it does this
and this and this and then it adds up those points to
your total overall score. There we go. So do we need to zoom in or how is
that for everyone is that, okay. So what we see here I
guess in this demo tenant, the Windows is not activated, sorry. But you can have it
activated, get your score. But so what you see here, it does say Office 365 but that also includes the EMS data
that’s coming in. So on the dashboard, that’s super low right now
and so let’s not be balanced. Let’s be the most
basic we want to be. Let’s be the most basic. So I was going to be basic. So this is where if you want to hit just the baseline minimums in your industry of whatever
security controls are required, that’s the basic
threshold is where you can set that minimum baseline. So then it populates, what you see right here. So at first here, you don’t, there’s nothing. We’re just going to hang out there. But if we want to be right at
the maximum threshold of basic, yes. Then it populates 19 actions
that you can possibly do. Like, require MFA for
everyone or just your admins. Shame on you if you
don’t already have that activated for your admins and most important users
you want to secure. Sorry, I shouldn’t have shamed. There are also other reasons
why maybe you wouldn’t have that but or whether or not you want to have audit of
e-mail inboxes, things like that. So let us go and see that screen. So I think thing is really cool and it’s super simple
but back in my day, when we’re working with
various controls or when we have massive spreadsheet and we’re all right,
we’re doing that. Which one does it satisfies and it cross-references various other tabs
with other things? It’s all right here. You’re able to see which controls, which standard, what guidance
this is directly mapped to. So it makes your life a
little easier in explaining well we’re now compliant
with all of these, and we did it through
a single dashboard. So you click “Learn
more”, it shows you, it walks you through
the steps. So let’s do that. Thank you Internet. So you can set a new policy. Again, there’s not going
to be any special magic because it does take 24 hours and I probably should have done
this 24 hours ago but I was hoping it was going to populate
in a shorter period of time. So say if you want to, you’re going to set conditional
access or conditions based on, sorry, what Cloud Apps. So select “All Cloud
apps” that are involved. This works with AMCAS, is integrated with AMCAS
and conditional access. You set the conditions. Let’s see. You can set what parameters
of browsers, all these, you click “Done”, enable the policy and it should
say create but it’s not. Let’s say for “All users”. Then it gives you
that warning, you’re like, just be sure you’re not going
to be locked out by admin. For some reason, it’s not
saying create right now. Anyway, so then it creates
and it takes about 24 hours. Another thing that I spoke to
is how to save your industry. So over on the side of determinant, it tells you where you can go. So you go to the Security and
Compliance Center where you can then set where you reside, in what industry, what region, if you have region-specific
control security controls are compliance requirements down here. Service Assurance and you
go to the settings here. Then you select, we’re in Europe. Let’s be in Brazil. We’re inventing, click “Save” and then this takes up to
48 hours to populate. Then once it populates and
pulls all that data in, you’ll be able to compare your scores vis-a-vis other members or
other peers within your industry. Let’s see. Other fun things. Also for example, say if
you’re using a third party for inbox auditing for all users, so it allows you to either
if it’s irrelevant for you, you click “Ignore” or here, pops it up and you’re just like. Then it gives you again
the 24 hours to sync with servers, 1:00 AM Pacific Daylight Time, depending on what time of year it is. Then so you wake up the next day, you’re super-excited, you’re
like, “What’s my score now?” You’re able to see that change. So probably adjust up a few
points because we haven’t gone through all 19 actions. Then let’s look at a extreme case where you want to be a nightmare for
all your business users. You’re like, we’re going to do all this and you’re going to hate it. But sometimes, it’s required. So you want to aim for the max score. You have 58 actions. What some people might have
noticed, certain things, we don’t get telemetry from
based on either legal issues or we haven’t activated
our triage yet. It says not scored. So that won’t be factored into
your total overall server. Once those are activated, it will be. So through this, you
can you can set up, again, it’s just a laundry list of things if you want
to walk through it. So this is the current state. Let me show you the score analyzer. Super simple to use. You’re able to see how
your score has dropped. So when you compare your scores, it tells you exactly
what activity occurred. What activity occurred
to cause your score to drop and how many points to drop. You’re able to go in and you’re like, “Well, I didn’t authorize that. What had happened?” You’re able to step in triage
directly from Secure Score itself. Now, this is the current state of it. What it is going to be
integrated further into the brand new Security
and Compliance Center, which I’m going to
show you right now. So the Security and Compliance
Center will show you not only Secure Score but alerts coming in from
various other products. We’ve announced it and it’s available but a lot of people have
not discovered it yet. So my credentials, pickup. All right. But the future for Secure Score, you’ll be able to see
all these various security cards or security admin cards that each
so like identity protection, that would be Azure AD Identity
Protection Microsoft Secure Score. This is going to be a central hub for all the various data points that are coming in from
the intelligence security graph. So with Microsoft Secure Score,
it’s a simple card. You click on it. You want
to work directly in this. So you click. All right. Let’s work on improvement. So all of these features in
the current Secure Score portal are ported over to
[email protected] So you’re able to do everything that you can hardly do in Here, you’re able to
pivot between all apps, which brings everything into a single control plane or
a single pane of glass, if you will, where you’re able to look across
everything that you do own and the data points that are
coming in to give you a broader picture of
everything that’s going, any possible nightmare or
alert that will be popping up, or if it’s like smooth sailing. Let’s go back to the home here. Then you can customize
various reports. You can include Secure
Score Identity Protection or just Secure Score or everything. You can tailor it to
whatever needs you have. Say, should an inevitable regulator
comes knocking on your door, you’re able to provide
them all the details if needed or tailor it to
specifically what’s being asked. All right. Any other questions on
that while I have the demo up. Do you have any questions
to throw out? We have quite a bit. Do we have a microphone?
No microphone? All right.>>[inaudible] .>>So the history graph?>>[inaudible] .>>Asia? Asia Pacific, yeah. So that’s those are not
of the 89 controls but I know they’re working on the broader spectrum
and increasing regions. So currently, it’s the United States, the Western hemisphere
controls and Europe.>>[inaudible] .>>Azure. My apologies. Yes, so all that is in So all that’s going
to be flowing into Secure Score because all that is in one central location. My apologies. Correct, yes. So when you’re talking
basic theme like the thresholds? So whatever that you already have these capabilities in
Azure Active Directory, though those policies
and governance controls, that based on what we have set
as in that basic threshold, meaning that score, those
populate underneath. So when I showed it said like 19 possible controls that you can- let’s pull
it back a little bit. Yeah, I think I was right there. So based on whatever you
have, that’s what populates. So it’s not going to be like, “Well, you don’t own
this yet. Buy it now.” Sort of thing. That answers
the question. Any other questions?>>[inaudible] .>>Yeah, you’re able to do that. So you’re able to export. So from the timeline itself
in the score Analyzer, you’re able to set
the reporting period. So if you wanted to see
the totality of the score from starting point on your able to, click “Export”. Lets see. Yeah. So you’re able
to see what happens. So it’s set to the total timeline. I know there’s a setting
for actual date. So put everything in the date but
it does not appear live demos. I swear. So yeah. So in theory, you could you’re able to set it based on date range and see what’s occurred on certain days
to cause it to go up or down as low, moderate, and high. Other questions? Saw
a couple of hands. Don’t be shy. We have a lot of
time and I think I’m near the end. Secure Score is fun. It’s easy to use. I mean, I think it’s fun.
Any other questions?>>[inaudible] .>>Yeah. So that’s where
the ignore section. If it populates and there’s like 29 controls and say like
13 of them, you’re like, “I’m really just targeting these certain controls and they know they’re mapped to
these following things, or features, or
recommendations that are populated within Secure Score,”
you can just click ignore. Then that removes that from the total amount of points
in that denominator.>>[inaudible] .>>So I’m talking like user roles and setting like a tiered
these roles and in turn->>[inaudible] .>>Yes. So that would all
be connected to Azure AD. So that would all happen
in the Azure AD portal.>>[inaudible] .>>So basically, the global admin or however your organization setup. So if it’s the SEC admins are
not part of the Global admin, but they are ruling over a certain subset of users and
a certain country or a region, that’s all set in Azure AD. Then when they login to
Secure Score, they’re able to see. That’s the universe that they see, whatever they have
privileges to view.>>[inaudible]>>That is in the works, actually, and I’m really familiar with it. I can’t really speak to it because I don’t think I’m
authorized. Hello, camera. But yeah, so that’s through Azure Advanced Threat
Protection, Azure ATP, and that provides the telemetry
from on-prem that focuses on Active Directory
users and activities. So that’s going to be piped
into Secure Score shortly. By shortly, don’t think of any particular timeline
in the next few weeks. But it’s in the works, and I’m actually really
excited about that.>>Is there a roadmap you can
share with us for the near future?>>A Secure Score roadmap?>>Yeah.>>I don’t know where
that is located. I’m actually filling in for
a friend for this presentation. So there is a roadmap and if
you want to come up afterwards, I can get your
information or give you my information so you
can reach out and then I will get all the
right files over to you and get you a full roadmap for
the remainder of the calendar year. Oh, another question?>>From a partner point
of view, is there a way we can see more
customers [inaudible]?>>That is actually
a really good question. So if you enter in through
the partner portal, that I don’t know the answer for, that would be a great feature. So let me get the answer for you. That would make a lot of sense. Sorry if I don’t have
all the answers, guys. I’d like to pretend like I do, but I won’t lie.>>Some features require
a higher license?>>Not necessarily.
So I said earlier, the score is based on what you own. So if you want to
see a full spectrum, say if you have Microsoft 365 E5 through the premium license there, your score is going to be a little bit larger
because it’s going to populate with other features
from other products, but you don’t necessarily need to own anything more than
what you already own. It will just show the universe of what you already use
and what you own.>>Okay. That would be
valuable, let’s say, if we own a certain license
but we need to be, for an industry that rates on
a higher license [inaudible].>>Yeah, so that’s where this.>>Can you repeat the question?>>Oh, yeah. So the question is, whether or not if based
on your industry, if you need to use
a higher license, for example. So if you’re at E3 to E5, correct me if I am not
interpreting this correctly, will you be able to see
a global view of it based on industry and also across the board whether or
not you own the license? You are able to see that, actually. So that’s what is
populated over here. So the Office 365 Secure Score
is again a misnomer, so that’s Office Windows
or Office and EMS, E3, E5, and so that’s
the across everything. So not just of what you own, but your score and what sort
of the denominator of your score is populated based
on what you own and your peers. But this over on the side
here is all across the board. Then industry as well, once that’s populated
48 hours from now, if we want to hang out, it
shows that data as well, across the board, it’s
a global view of that.>>The secure [inaudible]
, is it already available?>>Yeah, you’re able to use it today.>>[inaudible].>>Yeah. It’s brand new. You guys saw something fun and new. Any other questions? If not, I can give
you guys time back. Secure Score is an amazing product. It helps you harden
your security posture, and it’s so easy to use. I adore it, actually. Compliance nerd. Oh,
another question.>>Can you bring
your own industry title?>>We already have set industries, and what the industry
would you think?>>Well, just a sub-set.>>A sub-set of like
banking or health?>>Or a sub-set in the Netherlands
which can be very specific.>>Oh, this is very specific. I don’t believe so. I think everything is
pretty rigid there, the industry types but you
can select country though. So you can do industry and then country or
industry and then region. So you can tailor it and customize it but a subset of a certain industry, say like food chains under
retail versus retail all up. I don’t think you can
necessarily do that, but you can tailor it
based on country, region, and industry, or all industries in particular countries or
all industries in the region. So that’s sort of how
you can titrate up and titrate down based on
what type of view you want to see. So the question was, so if a new feature pops up to
help you in your security posture, say like next week, will you get an in-browser or
in-app notification of like, here’s what’s up, here’s what’s new, here’s what you work with. Secure Score does not
currently have that, those general pop-up alerts for any brand-new
features rolling out. But there’s alerts, for example, if you look at Azure AD, so if you’re going across
to the Azure AD portal, those will all populate within. So if you’re enabling various controls that are governed
within policies from Azure AD, you’ll be able to see all those
new alerts or new features. Yeah, so that’s where if you’re
adding various policies, so for example,
the industry type takes you to the compliance manager or
the security and compliance center. Other things, settings,
integrating with AIP for setting various compliance
settings for unstructured data. So all of those are just
integrated together. So whenever you click on a various control
that you want to enable, it pops up, it provides you the information of what you need
to do and where you need to go, and it takes you directly there. But all right. Thank you
very much. Thank you. [MUSIC].

No Comments

Leave a Reply