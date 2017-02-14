No Microsoft patches today, but have you looked at your Office 365 Secure Score? It is one step Microsoft has taken to help customer mitigate risks. And at RSA, the company called on tech companies to be a “neutral Digital Switzerland” and to be committed to “100 percent defense and zero percent offense.”

No patches on February Patch Tuesday

Microsoft opted not to release patches on Valentine’s Day, which should have been Patch Tuesday.

The “delay” was announced by MSRC:

Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.

Office 365 Secure Score

So, let’s move on to something else today related to Microsoft and security: Office 365 Secure Score.

The Office 365 Secure Score API has been available to preview since August, but last Friday, Microsoft released it to all commercial customers.

Microsoft identified 77 different factors, security configurations and behaviors, that customers can do to mitigate risks to their Office 365 data and then assigned specific points to specific controls. The higher the points, the more effective that control is meant to be for that risk. A customer’s score is based upon “the extent to which your service has adopted the recommended controls.”

As opposed to assigning critical, moderate or low severity, Microsoft considers Secure Score to be a “non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.”

On Feb. 10, Microsoft explained why the company thinks it is important to collect Secure Score data. The “four possible business scenarios driving consumption of the Secure Score through an API” are:

Monitor and report on your secure score in downstream reporting tools. Track your security configuration baseline. Integrate the data into compliance or cybersecurity insurance applications. Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

There are a number of steps, or “prerequisites,” outlined by Microsoft in order to take advantage of Secure Score. After fulfilling those setup steps, you can access the data if this is something you’d like to try.

Microsoft called for Digital Geneva Convention, for tech companies to be like a neutral Digital Switzerland

Instead of listing those out, let’s look at some of the comments made by Microsoft President and Chief Legal Officer Brad Smith during the opening keynote at the RSA conference.

He called for governments to protect civilians on the internet and to assemble a “Digital Geneva Convention.”

Smith wrote in a blog post:

Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace. And just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies. The tech sector plays a unique role as the internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.

Microsoft called for tech companies to protect customers, not to help attack them. When it comes to the cyber world, citizens need to able to rely on tech companies like Microsoft to be committed to “100 percent defense and zero percent offense.”

“Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith wrote. “We will assist and protect customers everywhere. We will not aid in attacking customers anywhere. We need to retain the world’s trust. And every government regardless of its policies or politics needs a national and global IT infrastructure that it can trust.”