New Security Analytics Service: Finding and Fixing Risk in Office 365

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk. We think of it as a credit score for security. Our approach to this experience was very simple. First, we created a full inventory of all the security configurations and behaviors that our customers can do to mitigate risks to their data in Office 365 (there are about 77 total things that we identified). Then, we evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, we measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score.

The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time. Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.

The Office 365 Secure Score is a preview experience, so you may find issues, and you will note that not all of the controls  are being measured. Please share any issues on the Office Network Group for Security. You can access the Secure Score at https://securescore.office.com.

The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

Your Secure Score Summary

The first, most important piece of the Secure Score experience is the Score Summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users' productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users' productivity.

ss_summary

Risk Assessment

While the Secure Score is framed as a 'gamification' of your security, it is important to recognize that every action you take will mitigate a real world threat. This panel shows you the top threats for your tenancy, given your particular configuration and behaviors. Make sure you read about and understand the risks you are mitigating every time you take an action.

ss_riskanalysis ss_threatsdescription

Compare Your Score

The Office 365 Average Secure Score is calculated from every Office 365 customer's Secure Score. You can use this panel to get a better sense of how your score stacks up against the average. The specific controls that are passed by any given customer are not exposed in the average, and your Secure Score is private. Note that the Average Secure Score only includes the numerator of the score, not the denominator. So, the average points may be higher than you can achieve because there are points in controls associated with services that you have not purchased.

ss_comparison

Take Action

Helping you figure out which actions to take to improve your score is the purpose of the Secure Score.  There are three basic parts to the experience:

First, there is the modeler. Use the slider to figure out how many actions you want to review. Sliding to the left will reduce the number of actions in your list below, sliding to the right will increase the number. Each tick of the slider will add one control to the list. The target score shows you how much your score will increase if you take all the actions in the queue.

ss_modeler

Second is the action pane. When you open this, you will see a description of the control, explaining why we think it is an effective mitigation, and what we observed about your configuration. We'll also show you some details about the control such as the category (account, device, data), what the user impact of the action is (low or moderate) as well as your measured score. Clicking Learn More will open a fly-out pane that will walk you through taking the desired action.

ss_actionpane

Thirdly, you will see a remediation pane fly-out that explains exactly what you are about to change, and how it will affect your users. Eventually, the Launch Now link (which takes you to a separate security center now) will allow you to make the desired change right from the Secure Score experience.

ss_remediationdescription

Score Analyzer

Since the Secure Score experience is restricted to users that have been designated a Global Tenant Administrator, we wanted to make it easy for admins to analyze and report to their executives and stakeholders their progress on risk mitigation over time. The Score Analyzer experience allows you to review a line graph of your score over time, to export the audit of your control measurements for the selected day to either a PDF or a CSV, and to review what controls you have earned points for, and which ones you could take action on.

ss_mountaingraph

What's Next

As mentioned, the Office 365 Secure Score is in a preview release. Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences. If you like what you see, please share with your network. If you see something we can improve, please share it with us on the Office Network Group for Security. We're looking forward to seeing your scores go up, and making the Secure Score experience as useful, simple, and easy as it can be.