Wooden clock

I know that sounds like a bad infomercial for getting six-pack abs, but it’s not. This is a story about the lessons I have learned attempting to increase my Microsoft Defender for Cloud Secure Score and what works (and what did not). Let’s start with what did not work.

What did not work?

  • Let’s get everyone in a conference room and fix this: My previous attempt to tackle the increase of my secure score for a specific environment through sitting down with the team that was responsible for the environment for an hour or two every month to look at the secure score and see what items we could tackle. Unfortunately, the result had little to no impact because the timeframe was insufficient to get things changed due to change control and waiting up to a day to see when changes had been successful.
  • Hoping it would get better on its own: I will admit part of me just hoped that the issue would go away over time without my having to focus efforts to improve it. But, as it’s been said, hope isn’t a strategy.

What is working?

  • Fifteen minutes a day on weekdays: I scheduled a 15-minute appointment every weekday from 8:00 – 8:15 in the morning. This timeframe let me focus on our secure score and see any results (or lack thereof) from changes made the day prior. Additionally, this blocked my calendar each morning so I could focus on this initiative.
  • Teams communication: Communication via Microsoft Teams was truly a key to this approach. We established a group chat for the various SME’s who have resources in the subscription. This group chat led to discussions on specific, actionable items and opened up communication so that there were no surprises as changes occurred in the environment.
  • Removing dead / non-required resources: Unlike in the walking dead, aggressively hunt dead items in your subscription. Don’t let them hang around any longer. If they aren’t required (IE: dead), put a bullet in their head and get them gone. In all seriousness, why work on securing resources that are not even required any longer. Removing them decreases your costs and simplifies the securing of your environment. In my example (see Figure 2), this resulted in almost a 20 point increase in my environment (from 56 to 74).
  • Fix the easy stuff first: Get a win. Then, after removing the dead stuff, go cherry-picking. Find the easy ones to fix—those with quick fixes – especially the scripted ones. Get those knocked out. It’s very motivating to see your secure score increase over time from 26 to 88 (been there, done that, need to make the t-shirt – see Figure 1).
  • Development then production: Hopefully, you have a development environment and a production environment. If so, start with an item in the development environment first and then make the change in production after it’s successful.
  • Track metrics: I track the date, secure score, points secure, points not secure, unhealthy, healthy, and not applicable numbers as part of my 15 minutes a day. I also keep any notes for that date to remember what may have impacted my secure score (see Figure 2).
  • Track specifics: I also track each required change, including any unique indicators and specifics of remediations taken for that item. This is to promote re-use of the remediations for other environments. Additionally, I track what is negatively impacting our secure score in production environments to map back initiatives to work through in the development environments.
  • Schedule changes: Many required changes will need a change control process. These need to be scheduled in advance and approved. I built in any time for these processes as part of the 15 minutes a day. The result is that many days may not involve fixing anything in the environment, but instead, that time is focused on getting paperwork in place to make the change happen.
  • Automate, Automate, Automate: Any change made somewhere for your secure score is extremely likely to be needed again. Develop automated remediations through Azure Automation (PowerShell) and/or LogicApps for reuse.

Figure 1: Current secure score



Figure 2: Tracking metrics

Summary: Based on my experiences, the best approach to improving a secure score is to work on it for 15 minutes every workday. I hope to update this blog post with a 100 score – eventually.