Inquiry About Security Score Standards in Microsoft Defender for Cloud

Question

Inquiry About Security Score Standards in Microsoft Defender for Cloud

용현 정 105

Hello,

I am currently supporting the operation of Microsoft Defender for Cloud.

I have a question regarding the security score in Microsoft Defender for Cloud.

While I understand that a higher security score indicates a safer cloud environment, I couldn’t find any official documentation on specific standards for interpreting the score.

For example:

High security status: 80% or higher
Average among Azure users: 40%
Needs improvement: Below 20%

If such guidelines were available, it would greatly help in providing explanations to customers.

If there are no official standards, I would appreciate it if you could provide approximate averages or any relevant references.

Thank you.

Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator

2024-11-28T08:43:53.7866667+00:00

@용현 정

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
용현 정 105 Reputation points

2024-12-02T07:30:55.29+00:00

@Sandeep G-MSFT
Hello, I need to inform the customer about this matter within this week.

Could you please share the current status of the investigation?

I apologize for the urgency, but I would greatly appreciate a prompt response. Thank you!
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2024-12-03T12:56:38.03+00:00

Adding to what was provided by Sandeep. The secure score will be specific to each organization, making comparing orgs difficult. It is simply a representation of your specific compliance with the recommendations. A guide to help you increase security posture and to develop longer term policy controls. There will always be recommendations that are not practical for your organization or for all resources. You have the option to exclude many of the recommendations but may choose to avoid exclusions for better visibility.

The score becomes an easy tracker of security posture status and changes. I have a customer that runs at 70% most weeks for example. That score fluctuates based on VM availability and organizational changes. Occasionally the recommendations are updated causing a temporary change in the score. We watch for unexpected changes weekly if not more often and continuously strive to increase the score or retuning the score to 70%. Knowing that we will never reach 100% without exclusions. There is a Secure Score Over Time report that is useful once you enable data export.
용현 정 105 Reputation points

2024-12-03T23:24:37.8266667+00:00

@Andrew Blumhardt @Sandeep G-MSFT

Hello,

I understand that the Secure Score is unique to each organization, making it difficult to compare scores between organizations. However, I assume that data on the average Secure Score across typical Azure environments might be available, and I am curious about this information.

The reason I’m asking this is that there is currently no clear benchmark to determine whether the Secure Score of the Azure environment my customer is using is considered high or low. If there are approximate Secure Score metrics based on the overall Azure user base, specific industries, or resource scales, it would greatly help provide clearer explanations to customers.

If any data or reference materials related to this are available, I would greatly appreciate it if you could share them.

Thank you.
용현 정 105 Reputation points

2024-12-03T23:28:44.4966667+00:00

Hello,

I understand that the Secure Score is unique to each organization, making it difficult to compare scores between organizations. However, I assume that data on the average Secure Score across typical Azure environments might be available, and I am curious about this information.

The reason I’m asking this is that there is currently no clear benchmark to determine whether the Secure Score of the Azure environment my customer is using is considered high or low. If there are approximate Secure Score metrics based on the overall Azure user base, specific industries, or resource scales, it would greatly help provide clearer explanations to customers.

If any data or reference materials related to this are available, I would greatly appreciate it if you could share them.

Thank you.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-12-05T15:50:47.04+00:00

@용현 정 Please send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.

Accepted answer

1 additional answer

Your answer

Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator

2024-11-28T08:43:53.7866667+00:00

@용현 정

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
용현 정 105 Reputation points

2024-12-02T07:30:55.29+00:00

@Sandeep G-MSFT
Hello, I need to inform the customer about this matter within this week.

Could you please share the current status of the investigation?

I apologize for the urgency, but I would greatly appreciate a prompt response. Thank you!
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2024-12-03T12:56:38.03+00:00

Adding to what was provided by Sandeep. The secure score will be specific to each organization, making comparing orgs difficult. It is simply a representation of your specific compliance with the recommendations. A guide to help you increase security posture and to develop longer term policy controls. There will always be recommendations that are not practical for your organization or for all resources. You have the option to exclude many of the recommendations but may choose to avoid exclusions for better visibility.

The score becomes an easy tracker of security posture status and changes. I have a customer that runs at 70% most weeks for example. That score fluctuates based on VM availability and organizational changes. Occasionally the recommendations are updated causing a temporary change in the score. We watch for unexpected changes weekly if not more often and continuously strive to increase the score or retuning the score to 70%. Knowing that we will never reach 100% without exclusions. There is a Secure Score Over Time report that is useful once you enable data export.
용현 정 105 Reputation points

2024-12-03T23:24:37.8266667+00:00

@Andrew Blumhardt @Sandeep G-MSFT

Hello,

I understand that the Secure Score is unique to each organization, making it difficult to compare scores between organizations. However, I assume that data on the average Secure Score across typical Azure environments might be available, and I am curious about this information.

The reason I’m asking this is that there is currently no clear benchmark to determine whether the Secure Score of the Azure environment my customer is using is considered high or low. If there are approximate Secure Score metrics based on the overall Azure user base, specific industries, or resource scales, it would greatly help provide clearer explanations to customers.

If any data or reference materials related to this are available, I would greatly appreciate it if you could share them.

Thank you.
용현 정 105 Reputation points

2024-12-03T23:28:44.4966667+00:00

Hello,

I understand that the Secure Score is unique to each organization, making it difficult to compare scores between organizations. However, I assume that data on the average Secure Score across typical Azure environments might be available, and I am curious about this information.

The reason I’m asking this is that there is currently no clear benchmark to determine whether the Secure Score of the Azure environment my customer is using is considered high or low. If there are approximate Secure Score metrics based on the overall Azure user base, specific industries, or resource scales, it would greatly help provide clearer explanations to customers.

If any data or reference materials related to this are available, I would greatly appreciate it if you could share them.

Thank you.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-12-05T15:50:47.04+00:00

@용현 정 Please send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.

Answer 1

@용현 정

I apologize for the delay in response.

I have checked with our PG team and got confirmation that there is no specific document which talks about specific standards for interpreting the score.

We have a document which gives us information as follows, The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is.

Also, we have a document on below,

Viewing the secure score
Exploring your security posture
Calculation of the secure score
Score calculation equations
How we can improve the secure score

Below article which talks about the same,

https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls

In above article we have a below screenshot,

User's image

The above screenshot is self-explanatory where the color coding talks about the categories of risk.

Below is the link for a video where our PM has explained about the secure score,

https://www.youtube.com/watch?v=oTNeMpTrHZ4

Security recommendations review: https://learn.microsoft.com/en-us/azure/defender-for-cloud/review-security-recommendations

Tracking your score: https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-trackIf you are still looking for any particular feature or document let me know so that I can check with our internal team and can get back to you on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Yuri Diogenes [MSFT] 0 Microsoft Employee

Hello,

There is no such a thing as metrics to evaluate how good the secure score is, because the ideal secure score is always 100%. It wouldn't be appropriate to say that 80% is a good secure score, knowing that threat actors only need one small vulnerability to exploit and penetrate the environment, hence, we always recommend handling secure score in a continuous improvement approach, and always aim for 100%

Share via

Inquiry About Security Score Standards in Microsoft Defender for Cloud

1 additional answer

Your answer