Join the next Microsoft Security CISO Workshop on EASM

Register now
Close Notice

Take a Security Health Check with assess365

Posted : 19 June 2024

Posted In : Blogs

Written by:

Andrew Dansie, Security Solutions Architect

What is it and why do you need it?

In a world where navigating the cybersecurity landscape is not easy, not having a security health check is like flying a plane without a GPS – you won’t really know where you are or where you are going.

So, how can you assess the current security position of your infrastructure and map out the way ahead? The answer lies in transforming data into actionable information and information into valuable knowledge. Accomplishing this amidst the vast sea of settings, logs, and policies in an IT environment can be an overwhelming manual task—one that demands sophisticated programmatic tools. Ultimate oversight and governance require the discerning judgment of human expertise.

This is where assess365 security health check comes in. assess365 offers a quick and easy AI-driven cybersecurity assessment of your infrastructure, including Microsoft 365 and Azure. The process is consultative and it is all aligned with internationally recognised CIS™ standards, based on the CIS v8 framework.

CIS v8

CIS (Center for Internet Security) is a global community-driven organisation with the aim of safeguarding public and private organisations against cyber threats. assess365 harnesses the CIS controls to create a framework for analysing and informing on your security posture.

The CIS v8 controls consist of 18 top-level controls which themselves divide into sub-controls (known as ‘safeguards’).

These safeguards are classified into three ‘implementation groups’ IG1, 2 and 3, with IG1 being the lowest of the groups and aimed at ‘basic’ cyber hygiene. If you are just starting to get to grips with putting a formal framework around your security systems, then IG1 is probably the best place to start. As those controls are formalised and embraced by your organisation, you can then think about moving forward to the IG2 set of safeguards or going straight on to IG3.

assess365 comes in two flavours – the ‘quick’ and ‘full’ implementations. These map to the CIS IG1 and IG3 safeguards. The graphic below gives you an idea of the controls as they relate to the implementation groups. For more in-depth information visit the CIS website CIS Critical Security Controls Implementation Groups (cisecurity.org)

CIS Critical Security Controls Implementation Groups (from cisecurity.org)

The assess365 Process

Two methods are involved in the assess365 Process the questionnaire and the infrastructure scan.

The questionnaire is a consultative process – you’re not on your own and we will guide you through each question. Various topics are covered following the CIS v8 framework. Depending on whether the full or quick assessment is being undertaken, there can be up to 18 top-level controls and differing safeguards.

In tandem with the questionnaire, we programmatically gather information from your desktops, laptops, Active Directory, Azure, Office365 and email settings.

Together with the questionnaire answers, a report and presentation are compiled. These are discussed with you and suggestions are presented to help improve your security posture.

This is all fine – and extremely useful – as a one-off exercise, but security doesn’t stand still.

assess365 gives you the benefit of being able to schedule the reports during the year to keep on top of your security roadmap, and by giving you an indication of the progress since the last scan. It also helps you address new components as the CIS controls and vulnerabilities evolve.

Below, we’ll dive a bit deeper into the mechanics of the scanning process.

How does it work?

The Azure and Office365 scans employ an Azure Application that will discover and extract information from Intune, Office365 components (SharePoint, Exchange etc), Azure AD and the various versions of Defender.

Endpoints are scanned with a script that can be deployed via GPO, Intune or run manually if required.

Azure AD is scanned via LDAPS.

This all feeds back into an application that is usually hosted on a dedicated Virtual Machine (typically in Azure, but this can also be on-premises).

The questionnaire responses are also logged in this application, which will then create the bare bones of a report that will be further refined by one of our consultants.

The Report

The report is a detailed analysis based around the CIS controls discussed earlier. Gaps in security settings and policies are highlighted and a road map of improvements are presented. This roadmap is divided into immediate, 3090-day and 90 day+ actions to provide a practical plan of action.

The report presents the findings as a ‘maturity level’ and ‘maturity score’ as displayed here. This is based on a model developed by Microsoft (Security Maturity Model) and is consistent with the Software Optimisation Model (SOM).

Presentation of 4 level gradings of organisation security used in assess365 reporting

 

This is how they are presented in the report itself.

Example security level of organisation from a sample report

Example maturity score of organisation security from a sample report

 

Sample of action plan

 

This is an easy way to present an overview of how well the organisation is approaching cybersecurity defence. It also provides a benchmark to measure against in future assessments.

Action plans are drawn up and presented in a format that both identifies the actions and provides suggested software or licensing to help achieve the goals.

The maturity scores are further broken down to provide a focus on where your attention should be aimed. For instance, the below extract of a quick scan shows that ‘Audit Management’, ‘Malware Defences’ and ‘Incident Response Management’ are all well under control, but ‘Network Infrastructure Management’ needs to be addressed.

CIS v8 scoring sample from assess365 report

 

The questionnaire is further analysed and presented with ‘urgent’ and ‘high’ recommendations to allow a focus on the most important issues to tackle. Advice and recommended products are presented to support further research on how to resolve the concerns.

Sample of advice given to address high level security concerns from assess365 report

 

The technical data is then included – we won’t go through the full details as it is a very extensive report, but, in short, it includes a status, conclusion and recommendation in the following areas:

Device Encryption, PII (Personally Identifiable Information) exposure, shared documentation and links, unused accounts, accounts without MFA, privileged accounts, updates and patching, email (SPF, DKIM and DMARC), Antivirus, Cybersecurity Awareness and more

It is a very in-depth technical analysis that would take many days to perform manually however, thanks to the AI-powered process, it is vastly accelerated. The following is a snippet from one of the report sections.

assess365 sample report M365 quantitative analysis

The Presentation

As discussed, the report contains a lot of detail and information and, although there is an ‘executive summary’, it is probably more use to IT senior management, who we typically deliver and discuss the report with. One of the goals of the assessment is to align the IT and Security teams with the Business Management teams. This is delivered remotely via a Microsoft Teams meeting or in person. We advise that the decision makers from the IT and non-IT sides of the business attend to gain the maximum benefit from the process. This gives the opportunity for all sides to gain an insight and appreciation of the cyber security position of the company.

The following example of one of the slides shows how we present an overview of the topic for more in-depth discussion, which is driven by all the attendees. We’re not just madly clicking through the slide deck!

assess365 management summary sample from report

PowerBI Reports

As a bonus, we can also provide you with a PowerBI report from the data export. Because this is sensitive data, we only provide this on your Office365 tenant (you will need a PowerBI Pro licence).

An example of a few of the PowerBi pages are shown below.

M365 Copilot readiness assessment sample results

 

The below displays a sample organisation’s Microsoft Secure Score and Cloud Secure Score as well as other major categories of risk scoring.

M365 risk scoring sample results

Key Take-aways

assess365 provides a holistic view of the cybersecurity position together with fact-based recommendations based on an internationally recognised cybersecurity framework.

assess365 provides you with detailed insight into your company’s security posture. It is designed for IT and CISO functions, a tailored report will be provided with an action plan. For the Business Management roles, a tailored presentation is provided including a roadmap, alongside Interactive PowerBI reporting.

Navigating the cybersecurity storm without a GPS is risky business. assess365 provides a clear understanding of where you are so you can set coordinates for cyber safety.

Learn more by downloading your guide to assess365 here or get in touch to book your assessment.

Share

Related insights

Getting started with us couldn’t be easier.

Just use the form or call us on +44 (0) 1223 834 333 to set up a call.