SPM Posture Score
SPM Posture Score
SSPM Posture Score represents SaaS application’s security posture in terms of a score and a corresponding level. Every SaaS application is assigned a posture level, depending on the calculated posture score.
Netskope uses a proprietary algorithm to compute the posture score of each SaaS application. SSPM computes the posture score based on the number of failed findings considering the severity compared to the total number of findings generated based on SSPM rules enabled in the policy and on the risk score of 3rd Party Apps detected.
SSPM computes the posture score at the lowest level and then propagates up through the levels. While propagating up, the lowest score is taken from the lower level. The posture score is computed at the following levels:
-
Netskope Tenant – calculated at the customer’s Netskope account.
-
SaaS Application Suite – calculated at the app suite level like Microsoft365, Google Workspace, Salesforce, Atlassian, etc.
-
SaaS Account – calculated at the SaaS application account level that is set up via ‘Configure App Access’.
-
Application – calculated at individual application level. For example, with Google WorkSpace, the score is computed for Drive, Calendar, etc.
The posture score and posture levels are mapped as follows:
-
Excellent – posture score ranging from 90 to 100.
-
High – posture score ranging from 75 to 89.
-
Medium – posture score ranging from 60 to 74.
-
Low – posture score ranging from 50 to 59.
-
Poor – posture score ranging from 0 to 49.
-
Unknown – cannot compute the posture score.
-
– The SaaS application doesn’t have a SSPM policy configured, resulting in no findings for the application, and there are no 3rd Party Apps detected for the SaaS application.
– The rules that are part of the SSPM policy have not resulted in any findings, and there are no 3rd Party Apps detected for the SaaS application.
Let us consider an example of understanding the posture score that is computed at the lowest level, i.e. at application level, and propagated up through the levels. Assume the levels for Microsoft 365 app suite as:
Microsoft 365 (app suite) -> My Account (instance) -> Sharepoint, OneDrive, Defender (application)
If the posture score for individual applications is:
- Defender – 91
- Sharepoint – 62
- Onedrive – 76
Then, the upwards propagated posture score for My Account (instance) will be 62 and for Microsoft 365 (app suite) will be 62.
Improve your Security Posture
If the posture score of your apps and instances is poor, you can improve it for better security. You can improve the posture score by analysing either the 3rd Party Apps with the lowest posture score or the critical severity rules that have the highest number of failures. Given below are various ways of using SSPM to improve your security posture.
Analyse 3rd Party Apps
3rd Party App score has a significant impact on your security posture. Hence, managing your 3rd Party App security will be a good place to begin to improve your security posture. To check the access permissions for a third party app, follow the procedure:
-
Navigate to API-enabled Protection > Security Posture SaaS > 3rd Party Apps.
-
Click on any 3rd Party App, and a new right side window pane will appear with Permission and scope requested for this app.
-
Analyse the permissions for this 3rd Party App to improve the posture. As a remediation, you can remove this 3rd Party App for better health of your environment.
Remediate Failed Finding by Severity
Critical and High severity findings have a significant impact on your security posture and hence it is a good point to start with remediating failed findings for these severities. To remediate failed findings, follow the procedure:
-
Navigate to API-enabled Protection > Security Posture SaaS > Apps.
-
Click on the total Failed Findings number in the metrics section. The page will navigate you to the Findings page with failed results.
-
Select Add Filter > Severity > Critical or High.
-
Analyse the list of failed critical findings. Choose one rule by clicking on it.
-
Navigate to the Remediation tab and follow the steps for remediation.
Remediate Failed Finding by Rule
In scenarios when you have a bulk of resources failing because of a particular rule, then it is good to remediate that rule. Remediating such rules will clear a bulk of your failed findings, giving you maximum reduction in your failed count. To remediate the rule failed for max number of resources, follow the procedure:
-
Navigate to API-enabled Protection > Security Posture SaaS > Apps.
-
Click on the total Failed Findings number in the metrics section. The page will navigate you to the Findings page with failed results.
-
Click on the Rules tab.
-
Sort the #Failed Resources column in the table in descending order. The rule at the top is the one with the most failed resources.
-
Click on the rule and navigate to the Remediation tab and follow the steps for remediation.
Remove unwanted Rules from Policy
In some cases, some rules may not be relevant in your environment. In which case, you could consider disabling irrelevant rules to reduce the failed findings. To analyse the rules attached to a policy, follow the procedure:
-
Navigate to Policies > Security Posture > SaaS > Policies.
-
Select a policy by clicking on it.
-
Click on the Rule and Action field to see the list of rules assigned to this policy. If the rule isn’t relevant, consider disabling it from the policy. You can review the rule by going through the description of the rule.
-
Click Save.