December 3, 2023December 3, 2023 Microsoft Security Copilot – Can your SOC live without it? Table of Contents Microsoft is bringing Copilot also for the Security field called Security Copilot. What kind of help does it bring to you, who are the main users and what it is afterall?If you have been lucky to have it the url for the service is https://securitycopilot.microsoft.com.For me it shows like this: NOTEThe information in this article only applies to the Microsoft Security Copilot Early Access Program (EAP), an invite-only paid preview program for commercial customers. Microsoft makes no warranties, express or implied, with respect to the information provided here. Information have gathered mostly from Microsoft Learn / Security / Tech Community / Youtube since I don’t have had personally chance to try this. What it is? Microsoft Security Copilot is a new service that helps you protect your cloud applications and data from cyberattacks. It uses artificial intelligence and machine learning to detect and respond to threats, vulnerabilities, and compliance issues.You can use Security Copilot to monitor your Azure resources, configure security policies, and automate remediation actions. Security Copilot also provides you with insights and recommendations to improve your security posture and reduce your risk exposure.The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. By using plugins as data point sources, security professionals have wider visibility into threats and gain more context, and have the opportunity to extend the solution’s functionalities.Microsoft Security Copilot seamlessly integrates with products in the Microsoft Security portfolio such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, as well as other third-party services such as ServiceNow.Microsoft Security Copilot helps boost security operations by: Discovering vulnerabilities, prioritizing risks, and providing guided recommendations for threat prevention and remediationSurfacing incidents, assessing its scale, and providing recommendations for remediation steps Summarizing events, incidents, and threats and creating customizable reportsAssisting security professionals collaboration through built-in capabilities (Source: Microsoft Learn) How does it work? In this Early Access Program (EAP) the foundation language model and proprietary Microsoft technologies work together in an underlying system that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale.Microsoft security solutions such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune integrate seamlessly with Security Copilot. There also some integration with Purview.Plugins from Microsoft and third-party security products are a means to extend and integrate services with Security Copilot. Plugins bring more context from event logs, alerts, incidents, and policies from both Microsoft security products as well as supported third-party solutions such as ServiceNow.Security Copilot also has access to threat intelligence and authoritative content through plugins. These plugins can search across Microsoft Defender Threat Intelligence articles and intel profiles, Microsoft Defender XDR threat analytics reports, and vulnerability disclosure publications, among others. How can it help your SOC? There’s a great article in Microsoft Tech-community how Security Copilot can help your SOC.“In a Security Operations Center (SOC), time to resolve and mitigate both alerts and incidents are of the highest importance. This time can mean the difference between controlled risk and impact, and large risk and impact. While our core products detect and respond at machine speed, our ongoing mission is to upskill SOC analysts and empower them to be more efficient where they’re needed to engage.To bridge this gap, we are bringing Security Copilot into our industry-leading XDR platform, Microsoft 365 Defender, which is like adding the ultimate expert SOC analyst to your team, both raising the skill bar and increasing efficiency and autonomy. In addition to skilling, we know that incident volumes continue to grow as tools get better at detecting, while SOC resources are scarce, so providing this expert assistance and helping the SOC with efficiency are equally important in alleviating these issues.”Using Security Copilot will speed investigations and reduce time in Security Operations Analyst work so I hope at least our company will start using it when it’s possible. (Source: Microsoft Security) Using prompts and promptbooks Prompts are the primary input Security Copilot needs to generate answers that can help you in your security-related tasks.Some examples how to interact with the standalone Security Copilot:Using promptbooksSelecting from prompt suggestionsCreating your own prompts Example of Featured prompts (Source: Microsoft Security) Promptbooks are a collection of prompts that have been put together to accomplish specific security-related tasks. Each promptbook requires a specific input (for example, a code snippet or a threat actor name) and then runs a series of prompts in sequence, with one prompt building on the one before it. Example of Promptbooks (Source: Microsoft Security) In promptbooks you can some code and let Security Copilot to generate you an answer: Security Copilot code analysis (Source: Microsoft Security) And the answer: Security Copilot code analysis (Source: Microsoft Security) Securit Copilot extensions (plugins / connectors) You can have extensions to leverage functionality. These are divided to Microsoft pluginsSecurity Copilot uses the on-behalf-of authentication flow to provide access to other Microsoft services that your organization already has access toMicrosoft EntraMicrosoft Defender External Attack Surface ManagementMicrosoft IntuneMicrosoft Defender XDRMicrosoft SentinelMicrosoft Defender Threat IntelligenceOther pluginsServiceNowYour custom plugins created withAPIHow to use/create an existing OpenAI Plugin in Security CopilotGPTYou can create GPT plugins with GPT 4 family with model gpt-4-32k-v0613KQLYou can create powerful plugins leveraging KQL queries to explore your data and discover patternsLogic Apps ConnectorsThe Security Copilot Logic Apps connector allows you to call into Security Copilot from a Logic Apps workflow.The Security Copilot Logic Apps connector allows you to call into Security Copilot from a Logic Apps workflow. Security Copilot pre-installed plugins (Source: MS Security youtube) An example of Logic Apps workflow (Source: MS Learn) Startup guide for Security Copilot There’s a lot of steps how to get started so I just say that you need to have an access for the Early Access Program and pay.The long Getting Started guide is found here.NOTE!But before you can access Security Copilot, your environment should have the following licenses deployed:Microsoft Entra ID P1 or P2 (formerly known as Azure Active Directory Premium P1 or P2) license for role assignments to users.Microsoft Defender for Endpoint P2 licenses Limitations of Security Copilot I picked the most relevant limitations below. The whole list of limitations is here. (MS Learn – Reaponsible AI FAQ)Since Security Pilot is in EAP those preview features aren’t meant for production use and might have limited functionality. Like any AI-powered technology, Security Copilot doesn’t get everything right. However, you can help improve its responses by providing your observations using the feedback tool, which is built into the platform. The system might generate stale responses if it isn’t given the most current data through user input or plugins. To get the best results, verify that the right plugins are enabled.The system is designed to respond to prompts related to the security domain, such as incident investigation and threat intelligence. Prompts outside the scope of security might result in responses that lack accuracy and comprehensiveness.Security Copilot might generate code or include code in responses, which could potentially expose sensitive information or vulnerabilities if not used carefully. Users should always take the same precautions as they would with any code they write that uses material users didn’t independently originate, including precautions to ensure its suitability. Conclusion(s) If I were working in SOC I would definitely want to use Security Copilot since it brings lot of help in tasks which takes time solve. But remember to always review and verify the responses you get from Security Copilot. Security Copilot is built upon Large Language Models (LLMs), advanced tools designed to predict and generate text. These models, because of their training on vast and varied data, sometimes produce content that can be biased, offensive, wrong, or even harmful. This potential is due to the vast and diverse nature of the data they’re trained on, reflecting a wide range of human biases and inaccuracies. Evaluate Security Copilot’s responses and cross-reference with trusted sources when needed. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe AI SECURITY
AI Few words about AI Security September 28, 2024September 29, 2024 Hello all. we have a new sector in Security business. It’s called AI Security. I will reveal some of it in this post. Read More
AI AI LLM attacks & how Microsoft Security products will help to reduce the Attack Surface November 24, 2024November 24, 2024 This post is the first part of my presentation which I held at Microsoft AI Summit Finland last October. In that presentation I handled topics like LLM attacks, risks, their prevention and mitigations. Also Azure related AI security topics. Read More
AI OWASP (Few words about AISec p2) October 16, 2024October 17, 2024 In this second part of AI Security Series I will open more of OWASP programs. Read More