Understanding and Improving Your Azure Secure Score

Your Azure Secure Score is a reflection of your organization's security posture, with a score ranging from 0 to 900. The score is calculated based on over 130 security controls across Azure services.

Each control is weighted, with more critical controls having a greater impact on your overall score. The controls are categorized into three areas: Identity, Data, and Network.

The Azure Secure Score is updated daily, giving you a real-time view of your organization's security posture. This allows you to make informed decisions and take action to improve your score.

Improving your Azure Secure Score requires a combination of technical and process-related changes, such as enabling Azure Active Directory (Azure AD) Conditional Access and using Azure Policy to enforce security standards.

The Security posture page in Defender for Cloud shows the secure score for your environments overall and for each environment separately.

You can see the subscriptions, accounts, and projects that affect your overall score, information about unhealthy resources, and relevant recommendations.

You can filter by environment, such as Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure DevOps.

Drilling down into each Azure subscription, AWS account, and GCP project will give you more detailed information.

To improve your Azure Secure Score, access the recommendations by clicking on the subscription you want to improve.

Choose a security risk you want to remove, as different resolutions will give you different percentages of improvement.

The ones with the highest priority are also the ones most likely to be used by bad actors to attack your workload.

Trigger the pre-configured Logic App you created to remediate that threat, and wait a few minutes for the changes to take effect.

Calculating Azure Secure Score is a straightforward process that involves evaluating the security posture of your Azure environment. The score is calculated every eight hours for each Azure subscription or cloud connector.

The equation for determining the score for a security control is: current score = (maximum score / total resources) * healthy resources. For example, if a control has a maximum score of 6 and 78 total resources, with 4 healthy resources, the current score would be 0.31.

Defender for Cloud uses a similar equation for a single subscription or connector, but with a maximum score of 60 points. The score is then calculated by dividing the current points by the total possible points. For multiple subscriptions and connectors, the score is calculated by applying a weight to each subscription and connector based on factors such as the number of resources.

Here's a breakdown of the calculation process:

The Azure Secure Score is an important metric for evaluating the security posture of your Azure environment. By understanding how the score is calculated, you can take steps to improve your security and reduce your risk.

The Azure Secure Score is calculated based on the status of resources within security controls. Each security control contributes to the overall score, with healthy resources contributing positively and unhealthy resources negatively.

The score is calculated every eight hours for each Azure subscription or cloud connector. This means you can expect to see changes in your score regularly as new resources are added or updated.

The score is a measure of the status of resources within the control, and each resource that's affected by a recommendation within the control contributes to the control's current score. Resources found in preview recommendations are not included in the score.

The equation for determining the score for a security control is a simple division: the maximum score is divided by the total number of resources, and then multiplied by the number of healthy resources. For example, if the maximum score is 6 and there are 78 resources, with 4 healthy resources, the current score would be 0.31.

Microsoft provides a detailed explanation of the calculation process in its documentation, and it's worth taking a closer look to understand how threats and risks are given value. The calculation process is the same for a single subscription or connector, with a potential maximum score of 60 points.

The score for a single subscription or connector is calculated using the same equation as for a security control, with the word "subscription" replaced by "connector". For example, if there's a single subscription with a potential maximum score of 60 points, and the current score is 29 points, the remaining 31 points are reflected in the Potential score increase figures of the security controls.

Calculating Azure Secure Score is a crucial step in ensuring the security of your cloud environments. You can access your secure score via the Azure Resource Graph, which provides instant access to resource information across your cloud environments.

Azure Resource Graph is a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.

To access the secure score for multiple subscriptions with Azure Resource Graph, you'll need to follow these steps:

This method allows you to drill down into each Azure subscription, AWS account, and GCP project, giving you a comprehensive view of your secure score.

Calculating Azure Secure Score for multiple subscriptions and connectors requires a special equation that takes into account the relative weights of each subscription and connector.

The equation applies a weight to each subscription and connector based on factors such as the number of resources, which affects the overall score.

Defender for Cloud determines the relative weights for your subscriptions and connectors, making it easier to calculate the combined score.

The current score for each subscription and connector is calculated in the same way as for a single subscription or connector.

The combined score is not an average, but rather the evaluated posture of the status of all resources across all subscriptions and connectors.

To understand the combined score, it's helpful to look at the Recommendations page, where you can see the potential points available and compare it to the current score.

The difference between the current score and the maximum score available gives you a clear picture of the potential improvements needed.

You can access the Azure Secure score through the Azure Security Center within the Azure Portal. This is the primary way to view your score.

There are also other options, including using the Rest API, which is currently in preview as of September 2020.

To view your score, you can also check the Defender for Cloud Overview dashboard, which shows the secure score for all of your environments as a percentage value.

The Azure mobile app also displays the secure score as a percentage value, and tapping on it will show details that explain the score.

You can find your secure score prominently displayed in the Defender for Cloud portal. Selecting the secure score tile on the overview page will take you to the dedicated secure score page.

The dedicated secure score page shows the score broken down by subscription. Selecting a single subscription will show you a detailed list of prioritized recommendations and the potential effect that remediating them will have on the subscription's score.

Here are the ways to access the Azure Secure score:

Tracking and reporting your Azure Secure Score is a crucial step in monitoring and improving your cloud security posture. You can access the Secure Score Over Time report in the workbooks page of Defender for Cloud.

This report provides a ready-made visual tracking of your subscriptions, security controls, and more, allowing you to easily monitor your progress over time. You can learn more about creating rich, interactive reports in Defender for Cloud data.

The report is a great starting point, but if you're a Power BI user with a Pro account, you can take your tracking to the next level with the Secure Score Over Time Power BI dashboard.

This dashboard contains two reports to help you analyze your security status: Resources Summary and Secure Score Summary. The Secure Score Summary report includes a chart to view changes in your score over time, which can be a valuable tool for identifying potential security issues.

To help you investigate any changes in your score, the dashboard also includes a table of detected changes that might affect your secure score. This table presents deleted resources, newly deployed resources, or resources that their security status changed for one of the recommendations.

You can find more information on working programmatically with secure score in the dedicated area of the Microsoft Defender for Cloud community on GitHub.

Improving Azure Secure Score is a crucial step in enhancing your overall security posture. This is where Defender for Cloud comes in, providing a secure score for your environments overall and for each environment separately.

To start improving your Azure Secure Score, access the recommendations by clicking on the subscription you want to improve. This is usually the most recently created one, as it will give you the most up-to-date information.

You can see the subscriptions, accounts, and projects that affect your overall score, information about unhealthy resources, and relevant recommendations. This is where you can drill down into each Azure subscription, AWS account, and GCP project.

The MCSB consists of a series of compliance controls, each a logical group of related security recommendations. Your score improves only when you remediate all of the recommendations within a security control.

To improve your score, you can either remediate security recommendations from your recommendations list or enforce or deny recommendations. The Fix option can also be used to resolve an issue on multiple resources quickly.

You can improve your score by remediate all of the recommendations within a security control. For example, Defender for Cloud has multiple recommendations for how to secure your management ports. You need to remediate them all to make a difference in your secure score.

Here are the two methods to improve your Azure Secure Score:

Different resolutions will give you different percentages of improvement. Always hunt for the ones with the highest priority, those are also the ones most likely to be used by bad actors to attack your workload.

After selecting the right subscription and waiting a few minutes, you can trigger the pre-configured Logic App you created to remediate that threat.