Security Posture - Sicherheitslage und ihre Messung
Security posture describes the overall state of an organization’s cybersecurity—the sum of its policies, controls, maturity level, vulnerabilities, and threat exposure. A strong security posture is measurable (Secure Score, compliance rate, MTTD/MTTR) and is continuously assessed through CSPM, vulnerability management, and security audits.
Security Posture—the security status—is the umbrella term for an organization’s current state of defense against cyber threats. Unlike one-off security audits, security posture is a continuous, measurable state.
Measuring Security Posture
1. Platform-based scores:
Microsoft Secure Score (Entra ID + Microsoft 365):
- 0–100% based on implemented security measures
- Categories: Identity, Device, Apps, Infrastructure, Data
- Measures sorted by impact (points) and effort
- Portal: security.microsoft.com → Secure Score
Typical score improvements: MFA for all admins +10 points, MFA for all users +15 points, block legacy authentication +5 points, password spray protection +3 points.
Microsoft Defender for Cloud Secure Score (Azure): Evaluates Azure infrastructure configuration; CIS, NIST, ISO 27001, GDPR compliance checks.
AWS Security Hub Security Score: Aggregates findings from GuardDuty, Config, Inspector, Macie; CIS AWS Foundations Benchmark; Finding severity levels: Critical, High, Medium, Low, Informational.
2. Quantitative Posture Metrics:
| Category | Metric | Target |
|---|---|---|
| Vulnerability Posture | Open critical vulnerabilities | < 5 per 1,000 assets |
| Mean Time to Remediate Critical Vulns | < 48h | |
| Patch Compliance Rate | > 95% within 30 days | |
| Exposure Posture | Exposed management interfaces (RDP, SSH) | 0 |
| Unpatched CVEs in CISA KEV list | 0 | |
| Identity Posture | MFA-enabled accounts | 100% |
| Accounts with outdated passwords (> 12 months) | 0 | |
| Privileged accounts with inactivity (> 90 days) | Lock immediately |
3. Maturity Models:
- CMMC Level 1: Basic Cyber Hygiene (17 practices)
- CMMC Level 2: Advanced (110 practices from NIST SP 800-171) – Mandatory for U.S. defense contractors
- CMMC Level 3: Expert (NIST SP 800-172 supplements)
- CIS Controls IG1: Basic Cyber Hygiene - 56 safeguards for all organizations
- CIS Controls IG2: +74 safeguards for medium-sized organizations
- CIS Controls IG3: +23 safeguards for enterprises (APT protection)
Security Posture Dashboard (Example):
| Category | Score | Trend |
|---|---|---|
| Overall Score | 73/100 | ↑ +5 (30d) |
| Identity | 82% | ↑ |
| Endpoint | 61% | ↑ |
| Cloud | 78% | → |
| Network | 70% | ↑ |
| Data | 54% | ↓ |
Critical Issues: 2 servers without critical patch (CVE-2024-XXXX), 1 S3 bucket with public read access, root account without MFA.
Continuously Improve Security Posture
Security Posture Improvement Cycle:
- MEASURE: Automated scanning (vulnerability scanner, CSPM, security score) + manual review (annual penetration test, audit)
- PRIORITIZE: Critical + externally accessible vulnerabilities immediately; Identity vulnerabilities (no MFA) high priority; compliance gaps according to regulatory timeline
- REMEDY: Jira/ServiceNow tickets with SLA, ownership assigned per team/person, patch process / configuration change / policy update
- VALIDATE: Re-scan after remediation, penetration test verification for critical issues
- REPORT: Monthly posture report, trend analysis (improved/worsened?), business impact of open issues
Security Posture vs. Security Audit vs. Penetration Test:
| Security Posture | Security Audit | Penetration Test | |
|---|---|---|---|
| Frequency | Continuous, automated | Ad hoc (annual, post-incident) | Ad hoc (annual to quarterly) |
| Method | Self-assessment + tool-based | External independent assessment | Simulated attack on real systems |
| Purpose | Internal control metric, trend tracking | Certification/compliance evidence (ISO 27001, SOC 2) | Finds what scanners miss (logic errors, combinations) |
