Microsoft Copilot for Security: Partner Private Preview Webinar Takeaways

Do you have highly repeatable security processes?  

What are the limitations between a junior analyst and a senior analyst? What are the responsibilities among them? How are you tracking KPI’s between them?  

What are some workflows specific to your organization that AI could help add efficiency to or in some cases potentially even eliminate? 

These are all questions you need to ask yourself when thinking about the efficiencies possible with Copilot for Security. If you don’t have the answers today, this blog might help you find them.

Difenda has had access to AI security technology and Microsoft Copilot for Security for a long time. As part of the partner private preview, we are one of very few Microsoft partners who have been testing, piloting and prototyping different Copilot capabilities.

While we can’t share everything we’ve learned right now. This blog will go through how Microsoft and Difenda are thinking about and leveraging Copilot today. 

2024 Cybersecurity Trends and Data

The cybersecurity landscape is evolving at an unprecedented pace, driven by a surge in password attacks. The current rate being 4000 per minute, as reported by actual Microsoft Entra ID statistics. This rapid increase underscores not only the sophistication of cyber-attacks but also the challenge organizations face in securing points of access.  

Compounding this issue is a staggering 3.5 million shortage of cybersecurity professionals. Putting further strain on already tight budgets and contributing to the growing asymmetry in cybersecurity dynamics.  

Adversaries are leveraging generative AI technologies to enhance their efficiency and attract more individuals to their cause. Knowing well that they only need to succeed once. This imbalance calls for a radical shift in how security measures are conceptualized and implemented.  

Today’s diverse array of toolsets and frameworks, while extensive, often results in complex, disjointed security architectures that are hard to manage and prone to ‘posture drift”. A scenario where the security stance weakens due to evolving attack methodologies and internal process inconsistencies. 

Responding to this critical juncture, solutions like Microsoft Copilot are stepping forward to level the playing field. Security Copilot aims to streamline and enhance the workflows and capabilities of existing cybersecurity teams. Integrating with current setups, not only addresses the glaring personnel gap but simplifies the onboarding of new members.  

What Is Microsoft Copilot for Security

Microsoft Copilot for Security is the first generative AI security product that empowers security and IT teams to defend at the speed and scale of AI. It is a security platform that reasons over data with an infinite number of plugins and third parties.  

This technology now sits at the center of Microsoft’s end-to-end security workloads and is fed by Microsoft Defender for threat Intel. Once launched, it will have direct integration into the Defender stack, Sentinel, Intune and the Purview stack. 

Learn more about what Microsoft Copilot for Security is and what it does here.

What does Copilot for Security look like?

Microsoft Copilot for Security will offer two different experiences for customers; the standalone and the embedded experience.  

The standalone experience: Security Copilot is its own application where you can prompt, and it will leverage the orchestrator to pull back relevant information across all the plugins in one place. 

The embedded experience: Microsoft has invested heavily in unifying Microsoft Security tools into a landing page where we have included XTR, Sentinel, Copilot and threat Intel all in one. Security Copilot exists within this platform to do two things: offer a summarization of what you’re seeing and offer guided responses. 

Your copilot experience will be grounded in your environment and your data so it will understand and speak your language. 

How Should Businesses Approach Microsoft Security Copilot?

Businesses should have a corporate-wide AI strategy and take this as an opportunity to innovate at the pace that their business is demanding. It is going to require an open mind to think about how are we doing it today versus how can we do it tomorrow. 

Responsible AI 

Microsoft acknowledges the significance of responsible AI and adheres to a set of six foundational principles that guide the creation and engineering of its technologies:  

• Privacy and Security  
• Inclusiveness  
• Accountability  
• Transparency  
• Fairness  
• Reliability and Safety  

These principles serve as the building blocks upon which governance, rules, training, practices, tools, and processes are structured. They enable Microsoft to provide the transparency and accountability that users demand, offering clear citations for data sources and establishing feedback mechanisms to foster continuous improvement and alignment with user expectations. 

When it comes to data handling, Microsoft ensures that user data remains securely contained within their Azure environment. Trust boundaries are meticulously defined and communicated, ensuring that user data is never exploited for training existing or future AI models. Moreover, an immutable audit trail is maintained, offering users the assurance that their data is handled with the utmost care and integrity. 

As organizations navigate the complexities of integrating AI into their operations, it’s imperative to scrutinize the security and responsible AI methodologies employed by technology providers. It’s not merely about the capabilities of the technology but also about the ethical considerations and responsible practices that underpin its development and deployment. 

Efficiency Gains with Security Copilot

Consider the myriad of repeatable processes that occupy most analysts’ time, often detracting from more strategic endeavours. For instance, the laborious task of analyzing suspected phishing emails. Analysts sift through countless emails, dissecting links, assessing scripts, and evaluating IP reputations, all in pursuit of identifying potential threats.  

With Microsoft Copilot for Security, these arduous tasks can be seamlessly automated, allowing analysts to redirect their expertise toward proactive threat mitigation strategies. 

Furthermore, the integration of AI-powered automation extends beyond mere workflow improvement—it catalyzes business continuity and fosters KPI adjustments. Whether organizations rely on in-house models, hybrid approaches, or external partners like Difenda, Microsoft Copilot serves as a unifying force, bridging disparate protocols and harmonizing operational frameworks.  

Maximizing your Security Technology Investment 

Copilot for Security sits at the center of Microsoft’s end-to-end security workloads and is fed by Microsoft Defender for threat Intel. Once launched, it will have direct integration into the Defender stack, Sentinel, Intune, the Purview stack, and Priva, which will come later. 

Because of this, Copilot can harness all your telemetry data beyond just what is on the screen in front of you.  

For those embarking on the journey of technology adoption or contemplating the transition to a consolidated platform like Microsoft’s Defender Stack, Copilot emerges as a potent acceleration tool. It’s more than a simple interface—it’s a strategic advisor capable of guiding you through the intricacies of configuration, policy optimization, and decision-making. 

Copilot Demo 1: Vulnerability Assessment  

In this scenario, Barrett Elkins walked the group through a vulnerability assessment. The assessment was conducted within the standalone environment, focusing on a specific Critical Data Environment (CDE) related to the Log Project.  

The assessment utilizes a stateful prompting session, allowing for seamless continuity in the investigation process.  

Key aspects include identifying vulnerable technologies, accessing threat intelligence articles, determining associated threat actors, and seeking mitigation strategies.  

Copilot for Security hyperlinks relevant information, provides executive summaries and automates the creation of detailed reports. Significantly streamlining the workflow and enhancing productivity for analysts of varying experience levels.  

This approach not only saves time but also ensures curated and comprehensive insights without the need for extensive manual research. 

Copilot Demo 2: Script Analysis 

In the second scenario, a script analysis process is aimed at initiating thoughtful investigation and fostering discussion.  

Utilizing a pre-built prompt book, analysts delve into a detected script, potentially linked to an indicator of compromise. Copilot prompts users to input the script, initiating a series of automated prompts tailored to dissecting the threat’s functionality and assessing its potential threat level.  

Through step-by-step explanations, the Copilot aids analysts of varying experience levels in understanding the script’s intricacies and determining its malicious nature. 

It also identifies associated IP addresses and host names, providing insights into potential threat profiles sourced from threat intelligence. Copilot for Security also offers recommendations for policy changes to mitigate the threat, empowering analysts to take proactive measures to safeguard their environment.  

Finally, a summary is generated, and relevant knowledge bases are updated for future reference, streamlining the process and enhancing analyst proficiency in dissecting scripts and understanding their implications.  

This approach expedites investigations and empowers analysts to make informed decisions in addressing potential security threats. 

Copilot Demo 3: The Embedded Experience 

In the final scenario, a highly rated fraud incident is identified and investigated further.  

The unified dashboard integrates information from Defender, Sentinel, and Copilot, providing a comprehensive view of security events.  

Defender XDR has already mitigated the attack, auto-labeled it, and formulated a specific incident, with Copilot summarizing the details.  

The dashboard offers extensive information about user IP addresses, email addresses, and subject headers, aiding quick analysis. It also guides response actions, prompting the analyst to attest to the phishing incident and suggest a password reset for affected users. 

However, the decision and execution of these recommendations are left to the analyst due to permissions.  

Difenda’s Copilot Custom Skills and Custom Integrations

Throughout the Microsoft Copilot for Security Partner Private Preview, we’ve developed four custom skills that streamline incident response, enhance forensic investigations, and empower our team to mitigate threats effectively.  

• SOC Invoke: Automate incident summary generation, providing quick access to high-level information crucial for rapid decision-making during multi-stage incidents. By leveraging Copilot, analysts can swiftly assess incidents and initiate appropriate response actions. 
• Case Management Setup: Simplify the setup of case infrastructure. Automate the creation of case folders and associated tasks within your case management platform.  
• Artifact Collection: Facilitate the collection of crucial digital artifacts essential for forensic investigations. Copilot orchestrates the deployment of collection agents, ensuring comprehensive data gathering while seamlessly integrating with Sentinel and your case management platform for streamlined documentation and analysis. 
• RIR Chatbot: Enable intuitive communication and collaboration with AI during incident response. By leveraging this custom Copilot skill your team can efficiently address inquiries, access critical information, and make informed decisions in real-time. 

Learn More About Difenda’s Copilot for Security Custom Skills and Integrations.