At this year’s Microsoft Ignite conference, everyone was watching to see what the latest improvements in artificial intelligence would bring. With Microsoft’s investment in the OpenAI project, they have been quick to integrate the impressive large language models into several of their core offerings, like Office. However, the most interesting application of AI has been towards the dynamic security landscape. At Ignite, Microsoft showcased what can be accomplished at the intersection of Defender, Sentinel, and Copilot.
In the Ignite demonstration, presenter and Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo walked the audience through an example of a security incident that showed the power of automation in security. The scenario involved a user clicking on a phishing link and providing credentials. These compromised credentials were then leveraged by a malicious attacker attempting to gain access to financial data in SAP. With Defender XDR, the end user’s SAP access and Active Directory (AD) credentials were disabled automatically. Sentinel then displays all information related to the incident, indicating the phishing email that came in, the link that the user clicked, and the external malicious IP address that later connected with the stolen credentials. This is impressive on its own, but it is only the beginning.
With Security Copilot, the incident is summarized in plain text, rather than having to backtrack through the incident map to build a timeline of events. It provides details on the user involved, the email title, the link that was clicked, and the IP address the attackers later connected from. It then recommends triage, containment, and further investigation actions. In this case, these involve classifying the incident as financial fraud, acknowledging that containment already occurred with the disabling of the user’s SAP and AD credentials, and recommending Advanced Hunting queries to dig deeper into the environment for potentially related incidents.
Copilot is capable of learning IP address association to link behavior from similar attacks. From there, Copilot can build a hunting query in natural language to seek out further damage that may be present. Although the power of AI is immense, Copilot is also aware that there is room for error. Each of these recommended actions is suggested to the security analyst investigating, but it does rely on the analyst clicking the provided links to perform the actions. This builds in an inherent “trust but verify” methodology that’s crucial to all cybersecurity work. In the example shown, the Advanced Hunting query discovers an additional PC that was attacked by the same cyber criminals, allowing the analyst to add this to the incident.
Investigating further, the additional PC was found to have a malicious script downloaded to the device. Copilot then provides the analyst with the option to analyze this script. After a few seconds, the contents of the encoded script have been extracted and a report is generated, even offering to show the source to the analyst. Lastly, Copilot recommends remediation tasks to restore access to the impacted user, resolves all related Sentinel alerts, and provides a summarized post incident report. Sherrod impressively states, “In a recent study we did to measure the productivity impact for early career analysts, participants using Copilot demonstrated 44% more accurate responses, and they were 26% faster.” Microsoft Security Copilot positions security analysts and engineers to be more productive, focusing their time on securing the environment rather than digging through thousands of logs to correlate events.
Not only can Security Copilot integrate with Defender and Sentinel, but it can also be incorporated into your Entra ID infrastructure, Defender for Cloud Apps, and your Microsoft Purview environment to help establish a cohesive AI-powered security platform for your organization’s data. For the first time, organizations can create an advantage against attackers, rather than always having to catch up to security trends. This is the new era of cybersecurity. This is the power of Microsoft Security Copilot.
So how can you start leveraging Microsoft Security Copilot in your business? Currently, Microsoft Security Copilot is only available through an invitation-only paid Early Access Program. However, that doesn’t mean you can’t prepare your organization for when it releases to general availability. Although it’s not a requirement, Security Copilot will integrate into your Azure environment best if you’re already taking advantage of the Microsoft Defender ecosystem. We recommend leveraging Defender for Endpoint P2 licenses, as well as Microsoft Sentinel, to get the most out of Security Copilot. After all, AI is only as good as the information we make available to it. While Copilot continues its rollout to the masses, businesses can take this time to prepare their data, endpoints, and policies to integrate seamlessly with Security Copilot when it becomes available. This foundational work will ensure that you’re able to take full advantage of the features offered by Copilot.
As the conversation around AI continues, organizations are looking to see how they can integrate it into their existing processes. At Cloudforce, we pride ourselves on staying on the cutting edge, which means we’re focused on all things AI. We’ve seen firsthand the power of AI as we continue to incorporate it into our own business. If your organization is interested in what they can do to become Copilot-ready, reach out to us through our website or LinkedIn for a consultation!
Bell, Charlie, DeGrippo, Sherrod, et al. “The Future of Security with AI.” Microsoft Ignite. Seattle Convention Center, 16 November 2023.