Score-Based vs Risk-Based Recommendations in Defender for Cloud

Score-Based vs Risk-Based Recommendations in Defender for Cloud

Within Microsoft Defender for Cloud (MDC), security recommendations play a crucial role in enhancing your cloud security posture. Currently, MDC has score-based recommendations and a new risk-based recommendation is coming that is in preview. In this post, we discuss why Microsoft is switching to the risk-based recommendation. First, let’s understand both score-based and risk-based recommendations.

Scored-Based Recommendation

In score-based recommendations, each predefined security control receives a score based on the analysis of the current configurations of resources and services. These recommendations directly impact the secure score. However, risk prioritization does not currently affect the secure score. Also, recommendations flagged as “Preview” are not included in secure score calculations.

This metric aggregates security findings into a single score, allowing you to assess your current security situation at a glance. In the screenshot below, the overall score is 33%, which is not considered satisfactory.

The current secure score is 33%

The score is calculated based on the below equation in Defender for Cloud.

Image credit: MS Docs

Below are the security controls, and based on their current configuration, the score is 33%. This score can be improved if we address the findings of each one.

  • Security control: Security controls are security measures that are implemented to safeguard. In the above image, Enable MFA, Apply system update, Encrypt data in Transit are examples of security controls.
  • Max score: Microsoft has assigned a max score for each security control like MFA can have a score of 10. It means if we remediate all the security findings of MFA then get 10 score.
  • Current score: This column shows the scored score based on the current configuration. We have 1.99 which means we are not in good condition.
  • Potential score increase: if we rectify those security controls, there would be a percentage increase in the total score of the environment. As per the above screenshot, addressing will lead to an increase in the overall score, resulting in a total of 47% (33%+14%).

Risk-based recommendation (Preview)

The risk-based recommendation provides recommendations based on the potential impact of the likelihood of security threats. It assigned risk levels considering contextual factors such as the sensitivity of data, the criticality of systems, and the current threat landscape that helps to mitigate the most significant threats first. The factors that are considered.

  • Internet Exposure: Determines if the resource is accessible from the internet.
  • Data Sensitivity: Considers the sensitivity of data associated with the affected resource.
  • Lateral Movement Potential: Evaluate the possibility of lateral movement within your environment.
  • Attack Path Remediation: Assesses the potential attack paths.

In the below screenshot, every recommendation is associated with a risk level. This risk level reflects how exploitable and impactful the security issue is within your environment.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.