You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/secure-score-security-controls.md
+17-8Lines changed: 17 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,16 +22,19 @@ This article introduces the enhanced Secure Score (currently in preview), the ac
22
22
23
23
## Introduction to Secure Score
24
24
25
-
Azure Security Center has two main goals:
25
+
Azure Security Center has two main goals: to help you understand your current security situation, and to help you efficiently and effectively improve your security. The central aspect of Security Center that enables you to achieve those goals is Secure Score.
26
26
27
-
* To help you understand your current security situation
28
-
* To help you efficiently and effectively improve your security
27
+
Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level. Use the score to track security efforts and projects in your organization.
29
28
30
-
The central aspect of Security Center that enables you to achieve those goals is **Secure Score**.
29
+
The *enhanced* Secure Score (currently in preview) is **attack surface focused** and brings three benefits:
31
30
32
-
Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
31
+
-Security Controls - Security recommendations are now grouped into logical set that better reflect your vulnerable attack surfaces. For more details, see [How the Secure Score is calculated](secure-score-security-controls.md#how-the-secure-score-is-calculated) below.
33
32
34
-
You can also use this score to track your security posture over time, and track security efforts and projects in your organization. The enhanced Secure Score (currently in preview) adds a percentage to the display to make it even simpler to track over time:
33
+
- Overall score better reflects the overall posture - Points were awarded at the recommendation level. With this enhancement, your score will only improve when you remediate *all* of the recommendations for a single resource within a control. That means that your score only improves when the security of a resource improves.
34
+
35
+
- Security status of individual attack surfaces is more visible - By showing the score per Security Control, the Secure Score page becomes the place where you can get a granular view of how well your organization is securing each individual attack surface.
36
+
37
+
The enhanced Secure Score is shown as a percentage, as shown in the following screenshot:
35
38
36
39
[](media/secure-score-security-controls/secure-score-with-percentage.png#lightbox)
37
40
@@ -44,7 +47,7 @@ Security Center displays your score prominently: it's the first thing shown in t
44
47
45
48
Before this preview, Security Center considered each recommendation individually and assigned a value to it based on its severity. Security teams working to improve their security posture had to prioritize responses to Security Center recommendations based on the full list of findings. Every time you remediated a recommendation for a single resource, your Secure Score improved.
46
49
47
-
As part of the enhancements to the Secure Score, recommendations are now grouped into **Security Controls**. These controls are logical groupings of related recommendations. Points are no longer awarded at the recommendation level. Instead, your score will only improve when you remediate *all* of the recommendations for a single resource within a control.
50
+
As part of the enhancements to the Secure Score, recommendations are now grouped into **Security Controls**. A control is a set of security recommendations and the instructions that help you implement those recommendations. Controls are logical groupings of related recommendations. Points are no longer awarded at the recommendation level. Instead, your score will only improve when you remediate *all* of the recommendations for a single resource within a control.
48
51
49
52
The contribution of each Security Control towards the overall Secure Score is shown clearly on the recommendations page.
50
53
@@ -56,11 +59,17 @@ For example, the Security Control called "Apply system updates" has a maximum sc
56
59
57
60
[](media/secure-score-security-controls/apply-system-updates-control.png#lightbox)
58
61
62
+
The value for the Security Control "Apply system updates" in the screenshot above shows "2% (1 Point)". That means that if you remediate all the recommendations in this control, your score will increase by 2% (which in this case is 1 point). For simplicity, values in the recommendations list's "Potential increase" column are rounded to whole numbers. The tooltips show the precise values:
63
+
64
+
***Potential increase** - This shows the remaining points available to you within the control. To get these points added to your Secure Score, remediate all of the control's recommendations. In the example above, the 1 point shown for the control is actually 0.96 points.
65
+
***Current score** - The current score for this control. Each control contributes towards the total score. In this example, the control is contributing 5.04 points to the total.
66
+
***Max score** - The sum of the previous two values.
67
+
59
68
### Calculations
60
69
61
70
|Metric|Calculation|Example|
62
71
|-|-|-|
63
-
|**Secure Score**<br>Single subscription|(Sum of your current points /<br> sum of the maximum score available)<br> * 100|<br>In this example, there is a single subscription with all Security Controls available (a potential maximum score of 60 points). The score shows 27 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the Security Controls.<br>|
72
+
|**Secure Score**<br>Single subscription|(Sum of your current points /<br> sum of the maximum score available)<br> * 100|<br>In this example, there is a single subscription with all Security Controls available (a potential maximum score of 60 points). The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the Security Controls.<br>|
64
73
|**Secure Score**<br>Multiple subscriptions|(Sum of your current points for all resources in all subscriptions/<br> sum of the maximum score available)<br> * 100|When viewing multiple subscriptions, Secure Score evaluates all resources within all enabled policies and groups their combined impact on each Security Control's maximum score.<br><br>The combined score is **not** an average; rather it's the evaluated posture of the status of all resources across all subscriptions.<br>Here too, if you go to the recommendations page and add up the potential points available, you will find that it's the difference between the current score (24) and the maximum score available (60).|
0 commit comments