Overe Assess is currently a free security tool that aims to provide a more comprehensive view on security compared to what Microsoft currently offers.
The Microsoft Security Score is a % value based on a set of controls that are evaluated against the current configuration of a Microsoft tenant.
A score per se might not mean anything to a user, that’s why want to introduce some guidance around it, explain what is relevant, and what should they do to mitigate the risks they are exposed to based on those scores.
Microsoft achieves this by ranking those controls to give a sense of priority. Each control has a maximum score points that can be achieved (for instance, MFA for admins is 10 points), and those points are assigned based on how much of the control is implemented (in admins MFA, if 50% of admins have it enabled, would reach a 5 / 10 score). Then, controls are sorted based on the points left to achieve for each one.
This is a good start, but it’s lacking in some ways:
It’s using the same bar to measure all kinds of companies. It’s not taking into account any context about the company being evaluated.
It’s taking into account some controls which the company might not be able to implement, based on their current licenses, and most importantly, it’s not clear about it. One can get a really low score, and not be able to figure out that this is because they are lacking some additional product to improve their posture.
It does not let you know when important security settings have changed, so you need to constantly manually check for changes.
Real world threats that can affect the business are not highlighted and quantified, leaving businesses unsure why they need to make changes to their settings or invest in a higher tier offering
Update: We have also included a deep scanner to look into users, devices, apps and more to uncover risks