AI-based security: Microsoft Copilot for Security

The beginning of the AI boom

In late 2022, OpenAI made GPT-3, also known as ChatGPT, available to the general public. Within five days, one million users had registered worldwide. The hype around the app was largely due to its ease of use, as for the first time, laypeople around the world were able to interact with AI without in-depth IT knowledge.

ChatGPT was the final trigger for the AI hype we are experiencing. We are now in the second year since its launch and OpenAI now has around 100 million active users.

AI enters the business world

The question naturally arose as to when AI support would find its way into the corporate world, after the amazement of generating text, music tracks, images or even videos. The answer: sooner than most would have thought, with Microsoft Copilot for Microsoft 365 released last year - just under a year after ChatGPT launched.

Microsoft 365 Copilot is integrated into the Microsoft 365 world. This tool supports a wide range of tasks such as creating documents, brainstorming, creating presentations in PowerPoint, analysing data in Excel and much more. As such, the application area covers a wide range of job roles as it supports day-to-day work tasks.

However, security teams have lacked deeper integration and AI skills to add value.

The parallel story: cybercrime

Cyber security threats have increased dramatically in recent years, even before the release of ChatGPT. In particular, the disruption of the working world during the Corona years and Russia's war of aggression in Ukraine have led to a further increase in attacks.

But general developments in the field of digitalisation are also contributing to an increase in the threat. The growing number of connected devices and systems is increasing the attack surface. From the Internet of Things (IoT) to cloud-based infrastructures, attack surfaces have become diverse and complex. At the same time, attack methods have evolved. Cybercriminals are using increasingly sophisticated techniques to exploit vulnerabilities in systems and gain access to sensitive data. Phishing, ransomware and distributed denial of service (DDoS) attacks are just a few examples of the many threats we face.

The importance of APT

Among the various threats, the danger posed by advanced persistent threats (APT) stands out. APT refers to complex and targeted attacks, often carried out by state-sponsored actors or well-organised cybercriminals. These attacks are designed to gain long-term access to a system without being immediately detected.

What makes APTs so dangerous is their persistence and ability to remain hidden. Attackers can spend months or even years gaining access to sensitive data and systems without victims even noticing. Using sophisticated tactics such as social engineering, zero-day exploits and targeted phishing attacks, APT groups can steal highly sensitive information or even take control of entire infrastructures.

Combining cybersecurity and AI: Microsoft Copilot for Security

Security teams face an asymmetric challenge: they have to protect everything, while cyber attackers only have to find one vulnerability. Security teams must do this while dealing with the complexity of regulations (NIS2, DORA), a global skills shortage, and rampant fragmentation of their known infrastructure.

Reliable protection against security risks is essential. Microsoft's security products already offer a wide range of options - in particular Microsoft Sentinel as a SIEM and SOAR system.

'Clicks, not complications: The simplicity of Copilot for Security

Microsoft Copilot for Security's ease-of-use and clear user interface help increase the efficiency and effectiveness of security teams by lowering the barriers to deploying advanced security technologies and making them easy to use.

• Save time for security teams: An intuitive user interface allows security teams to respond quickly to security incidents without wasting time learning complex systems. This results in more efficient working practices and allows teams to focus on more important tasks.
• Reduced training requirements: Ease of use reduces the need to train new staff as they can quickly become familiar with the platform. This is particularly important in environments with high turnover or where security responsibilities are shared between team members.
• Faster response times: An easy-to-use interface enables security teams to identify and respond to threats faster, reducing response times and minimising the impact of security incidents.
• • Better collaboration: A simple interface encourages collaboration between team members by making it easier to share information and work together on security incidents. This enables teams to work together more effectively to tackle complex threats.

The difference between ChatGPT and Microsoft Copilot for Security

ChatGPT and Microsoft Copilot for Security are AI technologies designed to help users complete tasks and activities faster and more efficiently.

Microsoft Copilot for Security is a natural language AI-based security analysis tool that helps organisations protect themselves from the threats discussed above. Microsoft Copilot for Security is based on the well-known OpenAI technology. However, a key difference between generic ChatGPT and Microsoft Copilot for Security is that the latter has been designed and developed from the ground up as an enterprise cyber AI. The platform works with customer-facing plug-ins (such as Microsoft Defender Suite) and Microsoft's global threat intelligence.

This is evident in the way the two tools work: Microsoft Copilot for Security is designed for status management, incident response and reporting. Microsoft Copilot for Security is designed for status management, incident response and reporting, while ChatGPT is built on the principles of zero trust and draws insights from security signals aggregated by plug-ins, while ChatGPT works like a chatbot designed to have a conversation with a user.

Explore: How do I use Microsoft Copilot for everyday security?

Incident summary

This prompt helps you investigate an incident. It generates a report for a non-technical audience that summarises the investigation. The employee can make this available to relevant stakeholders who do not deal with IT on a daily basis.

**Example prompt:**.
Summarise Sentinel Incident .

 

Guided response

Microsoft Copilot for Security provides advanced summaries for active incidents and also provides possible post-response actions that can be performed 'in chat' (step-by-step instructions).

**Example prompt:**.
When a user is listed in the incident details, you can see what devices they have recently used and whether they are compliant.

 

Vulnerability management

This feature allows you to proactively identify and remediate vulnerabilities in your environment. Copilot for Security uses data from multiple sources, such as vulnerability management tools and security scans, and prioritises vulnerabilities based on their risk.

**Example prompt:**.

Find all vulnerabilities in my environment that have a CVSS score of 7 or higher and have not yet been fixed.

These are just a few examples of how you can use Microsoft Copilot for Security in your daily work. The platform has many more features that can help you make your environment more secure.

Identifying risks and prioritising tasks can be overwhelming in a fragmented landscape where organisations use multiple data security tools. Teams receive multiple alerts, must manually correlate findings and reconcile the nature of an incident across teams and solutions, which can lead to longer investigation times.

Copilot for Security uses advanced GPT4 models from OpenAI in conjunction with the Microsoft security portfolio, including its hyperscale infrastructure, orchestration, Microsoft security team expertise, and global threat intelligence.

 

The benefits of implementing Copilot for Security include

• Reduced time spent on repetitive tasks
• Accelerated detection and response (MTTD & MTTR)
• Guided processes such as incident assessment or threat hunting
• Moving from reactive to proactive tasks

This also addresses the second major cyber security challenge: the skills shortage. SOC teams can be freed up to work more efficiently on critical incidents or proactive tasks. Junior analysts can take on more demanding tasks that previously took a long time to learn and implement, or could only be learned and implemented with additional support. Senior analysts, in turn, can focus on critical issues and the evolution of an organisation's security posture.

A new skill is needed: prompt engineering

The process of writing, refining and optimising prompts to enable generative AI systems to produce specific, high-quality outputs is known as prompt engineering. This is likely to become a skill that will be required to work with AI systems in the future. The ability to do this will affect everyone - and of course, when it comes to Microsoft Copilot for Security, it will affect security teams in particular - so it is important to invest in building the skills early on.

Prompt engineering is important because it enables all AI models to deliver more accurate and relevant results. By creating precise and comprehensive prompts, an AI model is better able to synthesise the task it is performing and generate responses that are more useful to humans.

Effective prompts also provide Microsoft Copilot for Security with important parameters for generating meaningful responses. When writing a prompt, security analysts or researchers should consider the following elements:

• Objective: specific, security-related information
• Context: why the information is needed or should be used
• Expectations: format or audience to which the response should be tailored
• Source: Known information, data source(s) or plug-ins that should be included.