Microsoft Defender for cloud Series, Part 3 - What is the Secure Score Card and how to improve it's value?

calendarFeb 18, 2025 · 4 min read · Security Defender for Cloud  ·
Share on: linkedincopy

Introduction

As a security Architect, I freqently get the question, how to improve the Secure Score Card (Posture) of an Azure environment. To get a better understanding, I've wrote this blog, what it is and how to improve it's value. This information can be found at Microsoft Learn.

What is the Secure Score Card in Defender for Cloud

The Secure Score in Defender for Cloud is a powerful tool that helps you assess and improve the security of your Azure environment by providing actionable recommendations and measuring your progress over time. The Secure Score in Defender for Cloud is a numerical score that reflects how well your environment is secured, based on the best practices for Azure services and resources. It quantifies your security posture and guides you to improve your security configuration.

When you turn on Defender for Cloud in a Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) standard is applied by default in the subscription. Assessment of resources in scope against the MCSB standard begins. The MCSB issues recommendations based on assessment findings. Only built-in recommendations from the MCSB affect the secure score. Currently, risk prioritization doesn't affect the secure score.

Secure Score controls

The secure core card is built up based on the table below (which can be found at at Microsoft learn).

How to improve the Score Values

Improving the Secure Score in Microsoft Azure involves following best practices and taking actions to enhance the security posture of your Azure environment. The Secure Score in Azure is a measure of how well your environment aligns with security best practices.

Here are steps to help you improve your Azure Secure Score:

1. Review and Prioritize Recommendations

  • Go to Subscriptions in the Azure Portal and navigate to Secure Score and click on the percentage, or open Microsoft Defender for cloud (and if required, filter based on an Azure Subscription you like).
  • Review the list of recommendations.
  • Prioritize the recommendations based on severity, impact, and the business requirements of your organization.

2. Enable Security Features

  • Enable Multi-Factor Authentication (MFA): Require MFA for users, especially for administrator roles and users accessing critical resources.
  • Enable Cloud Security Posture Management (CSPM). Defender CSPM (Cloud Security Posture Management) offers advanced security posture capabilities from code to cloud for multi-cloud environments.
  • Use Azure Defender: Enable Defender Plans you need to protect against threats in your cloud environment (e.g., Azure Defender for Servers, Databases, etc.).
  • Enable Azure Sentinel (if applicable): For organizations with advanced security operations needs, consider setting up Azure Sentinel, a cloud-native SIEM (Security Information and Event Management) system.

3. Network Security

  • Use Network Security Groups (NSG) to control traffic: Set up NSGs to manage inbound and outbound traffic rules and reduce exposure to unauthorized access.
  • Enable Azure Firewall: If not already configured, consider enabling Azure Firewall for centralized network traffic monitoring and filtering.
  • Configure Virtual Network (VNet): Use VNets and subnets to logically isolate workloads and improve security boundaries.

4. Identity and Access Management

  • Review User Roles and Access: Use role-based access control (RBAC) to assign users only the minimum necessary permissions (principle of least privilege).
  • Use Identity Protection: Enable Azure Identity Protection to monitor risky users, risky sign-ins, and other identity-related security events.
  • Review Security of Entra ID: Implement Conditional Access policies, require MFA, and use Privileged Identity Management (PIM) for managing privileged accounts.

5. Data Protection

  • Enable Data Encryption: Ensure that Azure Storage, SQL Databases, and other sensitive data are encrypted at rest and in transit.
  • Enable Azure Key Vault: Store and manage secrets, keys, and certificates securely with Azure Key Vault.
  • Backup and Disaster Recovery: Set up regular backups and test your disaster recovery plans. Azure Backup and Azure Site Recovery are essential services to ensure business continuity.

6. Monitor and Respond to Threats

  • Enable Continuous Monitoring: Use Azure Security Center to monitor your resources for vulnerabilities and security risks.
  • Enable Azure Defender alerts: Get notified of suspicious activities or vulnerabilities in your environment.
  • Set up Log Analytics: Send logs to Log Analytics for better visibility into security-related events.

7. Use Secure Configuration Baselines

  • Apply Security Baselines: Follow security configuration baselines such as the Azure Security Benchmark or CIS to ensure proper security controls.
  • Enable Secure Score Policies: Use the Security Center Policy feature to enforce security best practices across your environment.

8. Remediate Findings

  • Regularly address the vulnerabilities and issues flagged by Azure Secure Score, which may include tasks like:
    • Enabling encryption for storage accounts.
    • Updating or patching unprotected systems.
    • Enabling logging and monitoring for resources.
    • Changing or restricting open network ports.
  • After completing the remediation, recalculate the Secure Score to check the improvements.

9. Periodic Review and Improvements

  • Regularly check your Secure Score dashboard to see improvements and new recommendations.
  • Revisit security policies and apply updates based on new findings, compliance requirements, and evolving threats.

By implementing these steps, you'll gradually increase your Secure Score and improve the security posture of your Azure environment. A continuous commitment to security is essential, so make sure to routinely review your security practices and adopt new recommendations to maintain a strong security posture.