Forum Discussion
MicrosoftAnnouncement: Office 365 Secure Score Released to Public Preview
Another issue with Secure Score.
"You should require that all of your users reset their password at least every 60 days"
This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.
I'd like to see alerting for score changes. If I do the work to improve security, and then another global admin undoes some of that work maliciously or through error, being notified of a score change would be useful. It would also be helpful to be notified of new items when they are added to the tool.
Just to clarify, the [Not Scored] items such as reviewing reports, is the intention to score them eventually? E.g. if I click through that item and review the report, does Secure Score see that and add points to the score?
Also will Secure Score facilitate the regular reviews? E.g. by emailing/notifying me when a review item is due for another review? Or will I need to self-maintain that via a calendar item or similar mechanism?
- BrandonKoellerHey Paul,
Thanks for the feedback! I'm adding the notification feature to the backlog. We intend to provide an easy way to 'undo' any given action, but I agree that a notification is a good extension of the control framework.
For your second question, the [Not Scored] items are definitely intended to be scored eventually. It is surprisingly hard to find the source data in the ecosystem, and we wanted to get the experience in the hands of real users sooner rather than later. We exposed the full list of controls because we'd love to hear if you think we've missed anything, or that the identified control is off target.
Lastly, I think facilitating a regular review cadence is a good suggestion. Several of the controls are for report reviews, which happen weekly or monthly. We explicitly wanted to avoid an 'alerting' framework, but finding ways to poke you to come back is a good suggestion. Possibly might use the Security and Compliance Center 'Action Center' functionality for that. For now, you'll have to manage manually.
Thanks again for the feedback!
Brandon Koeller
BrandonKoeller wrote:
Hey Paul,
... It is surprisingly hard to find the source data in the ecosystem, ...Well, at last! Someone from Microsoft acknowledging this. Perhaps you could also raise the visibility of some of the audit issues - like missing data from the audit reports.
Also perhaps you could get someone to finally deal with the issue of trying to identify which users have not used the system recently (e.g. have not logged in in the last 90d). This appears to still be virtually impossible, especially when users are not using Exchange Online.
These issues are causing no end of problems.
I recently tried to identify people not using the system in order to recover licenses. I used the audit reports for the last 180d thinking that at the very least all active users must have changed their password in that time and that should have been audited. Needless to say that resulted in nearly 10% of identified users that were actively using the system.
- BrandonKoellerHey Julian,
Thanks for the feedback. My comment about the difficulty of finding source data in the system is related to the complexity of the back end ecosystem, not the availability and accessibility of relevant data for customers. In general, customer-facing data stores are meant to be straightforward, at least through the supported interfaces (usually web, api, and powershell). To your point, however, there are some resources that you can use to get your answers:
-The Admin Center Usage Reports page should allow you to discover which users are using which services for any given period of time: https://portal.office.com/adminportal/home#/reportsUsage
-You can also focus just on logons by looking at the list of users and comparing it to the logon activity logs in the service. I've taken the liberty of whipping up a quick powershell script which dumps the UPNs of users who have not logged in for the last 90 days: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/InactiveUsersLast90Days.ps1
-The Search-UnifiedAuditLog cmdlet, and its web interface (https://protection.office.com/#/unifiedauditlog) is a great resource to tracking any kind of activity in the service.
-If you are targeting illicit activity detection along discrete threat vectors, you can also use our 'Finding Illicit Activity The Old Fashioned Way' article: https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/
Thanks!
Brandon Koeller
