Forum Discussion
Brandon Koeller
Microsoft
Aug 12, 2016Announcement: Office 365 Secure Score Released to Public Preview
Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you unde...
- Dec 15, 2016
Another issue with Secure Score.
"You should require that all of your users reset their password at least every 60 days"
This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.
Paul Cunningham
Aug 16, 2016Steel Contributor
I'd like to see alerting for score changes. If I do the work to improve security, and then another global admin undoes some of that work maliciously or through error, being notified of a score change would be useful. It would also be helpful to be notified of new items when they are added to the tool.
Just to clarify, the [Not Scored] items such as reviewing reports, is the intention to score them eventually? E.g. if I click through that item and review the report, does Secure Score see that and add points to the score?
Also will Secure Score facilitate the regular reviews? E.g. by emailing/notifying me when a review item is due for another review? Or will I need to self-maintain that via a calendar item or similar mechanism?
Brandon Koeller
Microsoft
Aug 16, 2016Hey Paul,
Thanks for the feedback! I'm adding the notification feature to the backlog. We intend to provide an easy way to 'undo' any given action, but I agree that a notification is a good extension of the control framework.
For your second question, the [Not Scored] items are definitely intended to be scored eventually. It is surprisingly hard to find the source data in the ecosystem, and we wanted to get the experience in the hands of real users sooner rather than later. We exposed the full list of controls because we'd love to hear if you think we've missed anything, or that the identified control is off target.
Lastly, I think facilitating a regular review cadence is a good suggestion. Several of the controls are for report reviews, which happen weekly or monthly. We explicitly wanted to avoid an 'alerting' framework, but finding ways to poke you to come back is a good suggestion. Possibly might use the Security and Compliance Center 'Action Center' functionality for that. For now, you'll have to manage manually.
Thanks again for the feedback!
Brandon Koeller
Thanks for the feedback! I'm adding the notification feature to the backlog. We intend to provide an easy way to 'undo' any given action, but I agree that a notification is a good extension of the control framework.
For your second question, the [Not Scored] items are definitely intended to be scored eventually. It is surprisingly hard to find the source data in the ecosystem, and we wanted to get the experience in the hands of real users sooner rather than later. We exposed the full list of controls because we'd love to hear if you think we've missed anything, or that the identified control is off target.
Lastly, I think facilitating a regular review cadence is a good suggestion. Several of the controls are for report reviews, which happen weekly or monthly. We explicitly wanted to avoid an 'alerting' framework, but finding ways to poke you to come back is a good suggestion. Possibly might use the Security and Compliance Center 'Action Center' functionality for that. For now, you'll have to manage manually.
Thanks again for the feedback!
Brandon Koeller
- Julian KnightOct 18, 2016Steel Contributor
Brandon Koeller wrote:
Hey Paul,
... It is surprisingly hard to find the source data in the ecosystem, ...Well, at last! Someone from Microsoft acknowledging this. Perhaps you could also raise the visibility of some of the audit issues - like missing data from the audit reports.
Also perhaps you could get someone to finally deal with the issue of trying to identify which users have not used the system recently (e.g. have not logged in in the last 90d). This appears to still be virtually impossible, especially when users are not using Exchange Online.
These issues are causing no end of problems.
I recently tried to identify people not using the system in order to recover licenses. I used the audit reports for the last 180d thinking that at the very least all active users must have changed their password in that time and that should have been audited. Needless to say that resulted in nearly 10% of identified users that were actively using the system.
- Brandon KoellerOct 18, 2016
Microsoft
Hey Julian,
Thanks for the feedback. My comment about the difficulty of finding source data in the system is related to the complexity of the back end ecosystem, not the availability and accessibility of relevant data for customers. In general, customer-facing data stores are meant to be straightforward, at least through the supported interfaces (usually web, api, and powershell). To your point, however, there are some resources that you can use to get your answers:
-The Admin Center Usage Reports page should allow you to discover which users are using which services for any given period of time: https://portal.office.com/adminportal/home#/reportsUsage
-You can also focus just on logons by looking at the list of users and comparing it to the logon activity logs in the service. I've taken the liberty of whipping up a quick powershell script which dumps the UPNs of users who have not logged in for the last 90 days: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/InactiveUsersLast90Days.ps1
-The Search-UnifiedAuditLog cmdlet, and its web interface (https://protection.office.com/#/unifiedauditlog) is a great resource to tracking any kind of activity in the service.
-If you are targeting illicit activity detection along discrete threat vectors, you can also use our 'Finding Illicit Activity The Old Fashioned Way' article: https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/
Thanks!
Brandon Koeller- Julian KnightOct 20, 2016Steel Contributor
Also, thanks for the pointer to the Investigation Tooling Github. I've run the script to check for users not logged in in the last 90d but the first entry that it reports is one that I know is used daily because the person sits behind me in the office! They are a very heavy Office 365 user as they helped my set up our tenant.