Cybersecurity incidents have increased drastically in recent times. Microsoft has seen the number of password attacks triple in the last 12 months, from about 1,300 per second to more than 4,000 per second. The median time for an attacker to access your private data if you fall victim to a phishing email is now only 1 hour and 12 minutes.
Add to that a global shortage of 3.5 million skilled cybersecurity professionals, it’s no wonder that security incidents have become an everyday occurrence.
The numbers are staggering; attackers have become sophisticated, and security tools are sprawled and disjointed, often becoming difficult to manage.
So, how do we help security professionals overcome these challenges? Microsoft Copilot for Security steps in here.
To kick off our Security Spotlight Series, Mark Johnson, CyberSecurity Practice Lead at ANS, dives deep into Copilot for Security– its features, benefits and practical use cases. Let’s dive in!
What is Copilot for Security?
Copilot for Security is the first generative AI security solution that uses Open AI’s Large Language Models (LLM) to help security professionals investigate and respond to threats at speed with the latest and most advanced security practices.
Security Copilot allows you to get real-time visibility and context, investigate threats faster, and use natural language prompts rather than complex queries to become more effective and efficient.
It’s important to note that Security Copilot doesn’t replace human intelligence and expertise. Rather, it augments our unique capabilities with AI to perform complex tasks faster and at scale. As threat actors become more sophisticated by incorporating AI, we need advanced AI security solutions to defend against them, and this is where Copilot helps.
How does Copilot for Security benefit your teams?
Copilot for Security isn’t only for security analysts. It can benefit several personas in your team, including IT admins, insider risk analysts, identity access management admins, compliance analysts, etc. Let’s take a look at how exactly it benefits them.
1. Discover threats and vulnerabilities sooner
Copilot for Security helps teams shorten the time to detect and respond to threats. What used to take hours will only take a few minutes with Copilot, which prevents minor issues from developing into full-scale incidents and data breaches. Copilot can quickly process vast amounts of information from different data sources, which means it can detect what others might miss before an attacker can cause harm.
Not only does it help you detect threats faster, but with more context and guidance from Copilot, it also helps you reduce the resolution time.
Also, it simplifies the complex. Analysts don’t have to write complex scripts for tasks like threat hunting. Instead, they can simply ask questions in natural language and Copilot for Security understands the context and writes the script for them.
2. Improving productivity
Security Copilot helps skilled professionals get mundane, repetitive tasks done, allowing them to focus on more strategic work.
For example, Copilot can help you draft incident reports, which is typically a time-consuming process, by quickly pulling data from incident logs and alerts from different tools in just minutes. According to Microsoft research, using Copilot to perform tasks like preparing reports or troubleshooting minor issues can improve your efficiency by up to 60%.
As a result of these efficiencies, Copilot is helping teams move from reactive to proactive tasks. Instead of just responding to threats, they can now assess an organisation’s security posture, environment, users, devices and potential vulnerabilities to rethink their security strategy.
3. Augment team expertise
Globally, organisations are facing a cybersecurity talent shortage, so they can use Copilot to upskill junior team members. It can enable juniors to perform more advanced tasks, allowing senior members to focus on complex and strategic issues.
How does it work?
Copilot for Security can be used in a standalone portal or embedded natively into products such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, and other third-party services such as ServiceNow.
Choosing which to use when is based on what’s most important to users: pulling data from multiple tools into one place in the standalone experience or working within products they already know but enhanced with Copilot for Security.
Standalone experience
The Copilot for Security standalone experience brings together data from across your security portfolio, enriching it with threat intelligence. It also comes with pre-built prompts and promptbooks so you can get insightful responses without being a prompt expert.
For example, you could summarise a Sentinel incident, get device information from Intune, and identity data from Entra, all in one place, without switching applications.
Embedded experiences
This offers the intuitive experience of natively getting Copilot for Security guidance within the products your team members are familiar with.
For instance, if you’re a Defender user, you don’t have to leave that portal to access Copilot. Similarly, Intune, Purview, and Defender for Cloud users benefit from relevant Copilot skills for specific use cases.
You can also use Copilot within plugins for Microsoft products and third-party solutions like Service Now, which brings more context from event logs, alerts, incidents, and policies.
The image below gives a good overview of how it all works together.
Use cases for Copilot for Security
Now that you know how Copilot for Security can benefit your teams, let’s look at some real-life use cases.
-
Summarise, investigate & triage incidents
Swiftly distil complex security alerts into concise, actionable summaries, enabling quicker response times and streamlined decision-making.
For example, let’s consider a scenario where a business email is compromised by an attacker posing as a legitimate entity. Within Microsoft Defender XDR, Security Copilot provides the analyst with a quick summary of the key events of the incident and its sequence, such as what it is about, when it first occurred, IP addresses from which suspicious logins were attempted, and recommended remediation steps. In one glance, you’ll know everything needed about this incident that aids faster resolution.
You can also use Copilot as your AI-powered assistant to investigate issues by giving prompts and fetching data from multiple tools, all within one place.
-
Guided response
Receive actionable step-by-step guidance for incident response, including directions for triage, investigation, containment, and remediation.
In the same example, you’ll find a series of recommended steps within Defender XDR, confirming if the incident is a ‘true positive’ and then forcing a password reset for the affected user to address the possible compromise.
-
Analyse scripts
Eliminate the need to manually reverse engineer malware and enable analysts to understand the actions executed by attackers. Security Copilot will help you analyse complex command line scripts and translate them into natural language with clear explanations of actions.
In our previous example, the incident summary generated by Copilot highlights a Power Shell script. Defender XDR has decoded the script, but understanding its purpose requires time and Power Shell expertise. Security Copilot accelerates this process by analysing the script, understanding its intent, providing a plain English explanation of the key steps, and flagging malicious elements. We recommend viewing this video to show the full power of what Copilot can achieve for you in this instance.
Licensing model
Microsoft has introduced a pay-as-you-go licensing model to help a wide range of organisations benefit from Security Copilot. With this flexible, consumption-based pricing model, you can get started quickly with no upfront costs and then scale your usage and costs according to your needs and budget.
Users need to provision Security Compute Units (SCUs) to access Copilot for Security and can increase or decrease usage anytime. Billing is calculated on an hourly basis with a minimum of one hour. To purchase SCUs, you need to have an Azure subscription.
What about privacy and compliance?
Copilot for Security is built with security, privacy, and compliance in mind and grounded in responsible AI principles. Your data will not be used to train the AI models or shared with third parties or OpenAI. It is stored where you choose and is always encrypted, so you can rest assured that your data is protected by the most comprehensive enterprise compliance and security controls.
How can ANS help?
As a Microsoft Partner, we can help you deploy and maximise Copilot for Security usage in your organisation. We provide guidance and support throughout the implementation process, ensuring seamless integration with your existing infrastructure and workflows.
Additionally, we build the right guardrails, governance, and processes around your Copilot solutions to safeguard your assets and data effectively. If you’d like to know more about how we can help with Copilot for Security in your organisation, sign up for a free Copilot readiness workshop.