Blog Post

Security, Compliance, and Identity Blog
8 MIN READ

What’s new in the public preview for Microsoft Secure Score

Chris Hallum's avatar
Chris Hallum
Icon for Microsoft rankMicrosoft
Feb 10, 2020

Now that we’re well beyond the holiday season we thought now would be a the perfect time to share some Microsoft Secure Score related news. At Ignite 2019 the Microsoft Secure Score team launched its new public preview which represents the most substantial release since its inception in 2017. The preview was based on the over two years of learning and a team that we’ve grown nearly two-fold so we can accelerate the innovation we deliver moving forward. The preview is well under way and includes many new refinements. This blog will detail all of the top preview improvements and changes since its release.

 

While the overall mission of Microsoft Secure Score remains unchanged our focus has. In our first iterations we focused on how we surfaced the score itself and the experiences of navigating through a large set of recommendations. With this release and those to come we’re shifting Microsoft Secure Score from simply being a of threat prioritized recommendations to one that we hope will become the killer productivity app for security administrators. In the public preview, you’ll see that shift already well under way with features that will help security administrators:

 

  • Better assess their organizations current security posture
  • Plan, implement and monitor posture improvements
  • Drive meaningful status and planning discussions with leadership

In the material that follows we will walk you through all of the key improvements that you’ll find in the public preview.

 

Assessing your security posture

Making it easier to understand an organization’s security posture was one of our primary goals for this release and we’re adding a series of changes on the Overview page to make that process more effective.

 

The first change is hard to miss and is related to how we represent the score itself. In previous versions of Microsoft Secure Score an organization’s score was exposed in the context of the current points scored over the total points you could achieve (e.g.: 402/707) as can be seen in the image below.

 

The challenge with this representation was that as we added new improvement actions to the tool the denominator would change. While it couldn’t be any other way the volatility of both the numerator and denominator made it challenging for security administrators particularly when discussing the score with leadership. In addition, the numbers themselves (e.g.: 345/959) were challenging to remember and contextualize.

 

Customer feedback suggested that for the score itself we should de-emphasis the actual points achieved and refocus the score on expressing:

 

  • how far down the path of taking full advantage of the controls available they are
  • the outstanding opportunity to improve their score and become more secure

 

This has led us to changing the score to represent a “% Implemented” concept which is effectively represents your true posture as shown in the image below.

 

 

It’s worth noting that we aren’t framing your Microsoft Secure Score as a “% Complete” score as not every organization will be able to implement every possible improvement action due to user and application requirements.

 

One final note about the score is related to the following changes:

 

  1. The point scale for Improvement Actions has been changed to 1-10 to align with the Center for Internet Security (CIS). Previously the scale was 1 -50 points.
  2. Marking “Risk Accepted” no longer impacts your score (i.e.: numerator or denominator)
  3. The total points for your organization (denominator) is based on the products you have deployed. Licensed but undeployed products will not impact your score

 

For long time users of Microsoft Secure Score, we understand that these changes may take some getting used to. We apologize for any inconvenience and can assure you that we‘ve made these changes based on well-defined and tested principles so that the new score model can remain durable over time.  

 

I know that was a lot of minutiae detail here in the beginning. I promise the rest of this blog will be far less in the weeds! 🙂

 

One of the best ways to determine whether your score is a good, bad or somewhere in between is to compare it with other organizations. In the previous version of the tool we implemented this comparison experience within the History Card. Based on customer feedback we’ve moved the experience to a new dedicated Comparison Card as shown below.

 

 

This new Card space also gives us the ability address another customer request which was the ability for customers to decide for themselves who they want to compare themselves with. In the previous experience the comparison was hardcoded and based on the organization’s size and the industry. This has been updated to include organizations licensed with similar products so you’re no longer being compared to organizations who have access to more or less technologies.

 

This subtle change will prove useful to many, but I’m way more excited about the following. In the new version of the experience you now have the ability to create a Custom comparison where you can pick one or more Industries, Organization sizes, Regions and even License Types to compare yourself against. For instance, a small financial institution that needs to secure itself in the same manner that a very large institution does can now easily benchmark themselves against those that are their true peers.

 

 

In addition to these changes we’ve also made some other basic improvements to the layout. For instance, we’re adding a History Card to display the latest point activity, a Messages from Microsoft Card to surface important security posture related news, and then a Resources section to make it easier to get more information about the tool itself.  

 

 

Plan, implement and monitor improvements

As mentioned earlier transitioning Microsoft Secure Score from a tool that is simply a source of information to one that can become the killer productivity app for security administrators is now a top priority for us. We’re just at the beginning of this journey but even with the new public preview you’ll find that we’ve adding some great new features to help you better plan, implement and monitor your security improvements.

 

One of the things our customers asked for is more information on the Details page of each Improvement Action. As you can see in the image below, we’re paving the way for that by increasing the space within the detail’s pages by 300%.  With that extra space we’ll be adding more written information, access to history data, custom tagging, and we’ll also be adding dynamic environmental specific content.

 

 

Regarding dynamic content we’ll be adding automation to detect your Prerequisites and current Implementation status. The new I field will prove super useful as it will tell you exactly how much more work is left to do at the instance level (e.g.: 5 of 25 accounts still require updates to score the remaining points…).  

 

 

Another thing we’ve added is a new Action History section that will enable security administrators to check on the status of any Improvement Action. With it you’ll be able to see the points status over time as well as a timeline of events where for instance an Improvement Action changed state (e.g.: Moved from “To Address” to “Planned”), points were gained or lost, etc.

 

 

Customer have asked us make Microsoft Secure Score a better planning tool and one of our first stops in this direction is enable security administrators to mark Improvement Action as “Planned”. Once done users can filter the improvement action list by “Planned” so they can use the work space to work on the currently prioritized list of Improvement Actions.

 

Another thing you can do once you’ve marked a series of Improvement Actions as Planned is go back to the Your Secure Score Card on the Overview page and see what your Projected score will be once they’ve been implemented. To do this click the Include drop down and select Projected score check box.

 

Once you marked an Improvement Action as “Planned” you’re going to want to make sure the team follows up and implements it. To enable this we announced the availability of ServiceNow, Microsoft Teams and Planner integration with Microsoft Secure Score. With this capability you can start a conversation via Microsoft teams or create tasks in Microsoft Planner or ServiceNow.

 

In previous versions of Microsoft Secure Score monitoring the status of your security posture was fairly limited. You had the score itself and a few other things that helpful but there really wasn’t anything that was optimized to help security administrators hold the line on their current or drive the improvements that they’d committed to. In the preview you’ll find a new Actions to review Card to help you monitor your posture and stay focused on the most such as fixing regressions, implementing planned actions and reviewing new or updated Improvement Actions that are added to the tool. Those new and updated Improvement Actions by the way will now happen on a 6 month cadence rather than randomly as we’ve done in the previous releases.

 

 

Taking credit with leadership

A feature area that was completely missing from the previous release was a workspace designed to help security administrators discuss an  posture status and plans with leadership. To address this need we’ve just added the new Metrics and trends page which includes a series of Cards to help you conduct those types of conversations.

 

 

As mentioned earlier the score will differ between various organizations and what may be good for one organization may be quite another story for others. To help organizations better understand their current state in the context of what they consider acceptable vs not scores we’ve provided a means for administrators to define a score ranges for Good and Okay. This is a perfect place for security administrators to start status discussions with leadership.

 

From here the next place we expect security administrators will want to cover with the leadership team is the latest progress they’ve made vs. their plan. To address this, the Score changes card is designed to help the security administrator discuss the most recent Points achieved and Points regressed. In addition, this card also includes a New actions added metric that will surface new point opportunities that have been recently added to Microsoft Secure Score.  

 

Like all thing’s organizations tend to drift from desired state and to help better point out where that drift is happening we’ve added the Regression trend timeline to help security administrators identify and better explain when and why regressions may have occurred.

 

After the administrator has reported on their current state and progress, we expect conversations will lead to one about where they’ll be futuristically if they successfully execute on their plans. To help with that part of the conversation we made added a means to show your projected score which shows your future score assuming you implement all of the Improvement Actions currently set to a “Planned” state.

 

 

Wrapping it up

So, there you have it – a whirlwind tour though the new public preview of Microsoft Secure Score. We’d like to encourage you to start taking advantage of it by the following the link (http://aka.ms/securescorepreview) and we look forward to your feedback! More information on Microsoft Secure Score can be found at Microsoft Docs (Microsoft Secure Score).

 

Updated May 11, 2021
Version 6.0
  • JonasBack's avatar
    JonasBack
    Steel Contributor

    Chris Hallum I've been waiting for this - awesome work! A question regarding licensing. For example, looking at my improvements actions I see that my rank 2 and 3 are Turn on sign-in risk policy and Turn on user risk policy. But both these require Azure AD Identity Protection which is a part of Azure AD Premium Plan 2 which we don't have. I argue these should not be shown at all until I have the licensing for it. Or at least but them as "not possible" or such? Your comments?

  • Technodude's avatar
    Technodude
    Iron Contributor

    Chris Hallum  Hate to say it.... but... would be really great if it actually worked.  I've had a ticket logged with Support now for over a month and they can't fix it.  The score shows things that need improving that have already been implemented for well over 6 months.  The back-end team completely reset the tenant and the score got worse and even more things that had already been implemented are now showing as 'needing to be enabled'.  Great idea.. just a shame such a big sales pitch was made of it at Ignite this year before it was fully tested.