How Microsoft Copilot for Security works

00:00

(music)

00:02

- What if I told you that you could use

00:04

GPT-powered natural language

00:06

to investigate and respond to security incidents, threats,

00:09

and vulnerabilities facing your organization right now?

00:12

Well, today we're going to take a look

00:13

at how Microsoft's Security Copilot,

00:15

a new security AI assistant skilled

00:17

with Microsoft's vast cybersecurity expertise,

00:20

can help you perform common security-related tasks quickly

00:24

using generative AI.

00:26

And this includes embedded experiences

00:27

within the new Microsoft Defender XDR,

00:30

Microsoft Intune for endpoint management,

00:33

Microsoft Entra for identity and access management,

00:35

and Microsoft Purview for data security and much more.

00:38

And joining me today for a deeper dive into Security Copilot

00:41

is Ryan Munsch, who's on the team that built it.

00:44

- Thanks Jeremy. It's great to be here.

00:45

And I'm excited to share more about what we've done

00:47

with generative AI and security.

00:49

- This is a topic I've really been looking forward to

00:50

because I can see a lot of benefits here.

00:52

You know, security teams,

00:54

they're stretched pretty thin these days.

00:56

As we build more and more tools, though,

00:57

to help them harden security or detect

01:00

and respond to incidents,

01:01

it's still a struggle to parse through

01:03

all that information that's available to them

01:04

and respond quickly.

01:06

- Right, there are definitely skill

01:07

and staffing shortages at play here.

01:10

And when you add to that the increased frequency of attacks,

01:13

even the most skilled teams can benefit from generative AI.

01:16

In fact, think of Security Copilot

01:18

as an enterprise-grade natural language interface

01:21

to your organization's security data.

01:23

Let me show you.

01:25

I'm in the Microsoft Security Copilot right now.

01:27

Notice unlike other Microsoft Copilots,

01:30

it's a stateful experience to let you easily return

01:33

to investigations from previous Copilot sessions.

01:36

Now, this isn't an ordinary instance of GPT.

01:39

We've augmented the large language model training

01:42

with security skills so that it can work

01:44

with the signal in your environment,

01:46

and the more quality security signals

01:48

it has access to, the better.

01:50

In the bottom left corner are your managed plugins.

01:53

There's Microsoft Entra for identity,

01:55

Microsoft Intune for device endpoints,

01:58

Microsoft Defender plugins for incidents,

02:00

Threat Intelligence, and more,

02:02

as well as Microsoft Purview for data security

02:05

and Microsoft Sentinel, our cloud-based SIEM.

02:07

And you even have options for third-party plugins

02:11

like you see here with ServiceNow for incidents.

02:14

- This is a real breadth of information, then,

02:15

that basically Security Copilot

02:17

can use to help investigate incidents

02:19

and also generate informed responses later.

02:21

- Yeah, that's all data that can ground

02:23

and enrich the Security Copilot experience,

02:26

and the prompt experience brings additional skills too.

02:29

Notice like other Copilot experiences,

02:32

it proactively suggest prompts to get you started

02:35

like this one: "Show high severity incidents

02:38

and recent threat intelligence."

02:39

That said, it gets even more powerful

02:42

with multi-step sequences using Promptbooks.

02:45

I'll open this one for suspicious script analysis

02:47

to automate security process steps, and we can try it out.

02:51

I have a PowerShell script in my clipboard

02:53

that I'll paste into the prompt,

02:55

and in just a few moments,

02:56

Copilot has safely reversed engineered the malware

02:59

in the script with a step-by-step breakdown

03:01

of the tactics used by the exploit

03:04

in a way that's clear and understandable.

03:06

- Okay, so what's stopping someone, then,

03:07

from using maybe an off-the-shelf large language model?

03:10

And maybe a lot of people are going to say and think

03:12

that if I just use the right prompts,

03:14

I'll be able to get the response that I want.

03:16

- So that's partly true, but it's not quite that simple.

03:19

Let's demonstrate this together.

03:21

I'll use Security Copilot,

03:22

and you can use the GPT playground

03:24

using an unmodified GPT in the Azure OpenAI service.

03:28

We'll run the exact same prompts.

03:30

- Yep, let's do it. Sounds fun.

03:31

So right now, I've actually got the GPT playground open.

03:34

On the right, you're seeing my screen,

03:36

the Azure OpenAI Studio.

03:37

It's actually running a GPT-4 instance.

03:40

And on the left, you're seeing Security Copilot.

03:42

Now, we're going to start

03:43

with a Common Vulnerability and Exposure,

03:46

or CVE as we refer to it normally.

03:48

And Ryan and I are both going to submit the same prompts

03:51

and describe this particular CVE.

03:54

And that's going to take a moment to run and analyze the data,

03:57

especially on the Security Copilot side.

03:59

It's chewing through that and getting everything ready.

04:01

And when it's finished, you'll see

04:03

that the off-the-shelf model on the right,

04:06

it knows what a CVE is,

04:07

but otherwise, this response isn't useful at all.

04:10

So you saw on the Security Copilot side,

04:12

or you can see it now,

04:13

that it gives us the details for this CVE.

04:16

- So let's try something else.

04:18

We'll run another prompt.

04:19

We'll prompt it about a suspicious domain,

04:22

VectorsAndArrows.com.

04:23

Notice that while Security Copilot gathers the information

04:26

before formulating a response,

04:28

the GPT-4 instance on the right acknowledges

04:31

that it actually can't find the information.

04:33

Also, we can see here in Security Copilot's response

04:36

that it knows that if we're asking about this domain,

04:39

it likely involves a security event.

04:41

So it finds all of the matching IP addresses

04:44

that the domain resolves to,

04:45

the ASNs, or Autonomous System Numbers, related to it,

04:49

and corresponding organizations.

04:51

- And the differences that you're seeing here,

04:53

it's resulting in the fact

04:55

that the large language model that's off the shelf,

04:57

it relies on general training,

04:59

whereas prompts that were sent

05:00

to Security Copilot on your side,

05:02

they carry the security context

05:04

using all that fine tuning and grounding data

05:07

from all the plugins that you showed earlier.

05:09

- That said, of course the off-the-shelf model you use

05:12

could be grounded with more data,

05:14

and you can add up to three plugins

05:15

to provide additional security data.

05:17

But you'd still need to build an orchestration engine

05:20

to find and retrieve the data, rank it for relevance,

05:24

and then add the grounding data to your prompt

05:26

with guardrails to stay below your token limits

05:29

before presenting this information to the LLM

05:32

to generate an informed response.

05:34

And that's just scratching the surface.

05:36

For example, you'd also want to ensure

05:38

that it provides citations with the right legal assurances.

05:41

We do all of this and more right out of the box.

05:43

- All right, so I want to go back to the fine tuning aspect.

05:45

You know, we recently had Mark Russinovich on, CTO of Azure,

05:49

and he explained how a method

05:50

called Low-Rank Adaptive fine-tuning, or LoRA fine-tuning,

05:53

works to pinpoint LLM training specific

05:56

to a skill like security,

05:57

and this is a very specialized process.

05:59

So it's not as simple as building out your own solution

06:01

even if you were a security expert.

06:03

- Exactly, and ultimately, you need to understand

06:06

how the underlying AI processes work.

06:08

And we've done all of that work for you

06:10

based on our own extensive cybersecurity expertise.

06:13

We've been partnered with OpenAI for years now

06:16

on what it takes to build the most advanced models.

06:19

And so we have built an AI supercomputer

06:21

with a specialized hardware and software stack

06:24

in Azure to run them.

06:25

And with that foundation, we use the LoRA fine-tuning method

06:29

to give the LLM more training specific

06:31

to cybersecurity analysis, detection, response,

06:35

summarization, and more.

06:36

Then using evergreen Threat Intelligence

06:39

with real-time retrieval,

06:40

we also help ensure that it's always up-to-date

06:43

with new and trending threats.

06:45

And like I showed earlier,

06:47

we also provide built-in cyber-specific skills

06:50

in Promptbooks so that you can get multi-step prompts built

06:54

with insightful responses without being a prompt expert.

06:58

And this is something we've been working on for years

07:00

to get the processes and the LLMs' underlying knowledge base

07:04

up to the task of cybersecurity.

07:06

- Okay, so now you've explained how it works.

07:07

So can we walk through a process

07:09

maybe a security analyst might use

07:11

as they use Security Copilot to investigate an incident?

07:14

- Definitely; in some cases,

07:15

these investigations can start out

07:17

in something like Microsoft Defender

07:19

or simply as a support call, so let's start there.

07:23

In this case, I'm on an active call

07:25

with a user who can't access her device.

07:27

I'll prompt Security Copilot with, "What is the status

07:30

of the user account for Lynne Robbins?

07:32

Is it locked out?"

07:34

After reasoning across information

07:36

from its connected plugins,

07:37

it confirms that Lynne's account

07:39

is disabled with more details.

07:41

Let's keep going.

07:42

"What are the three most recent login attempts

07:45

from the user?"

07:46

And I got a few more clues back.

07:47

Lynne not only has had multiple failed login attempts,

07:50

but they've come from different devices and locations.

07:54

This account is likely compromised.

07:56

Now, I'll ask, "Is the user considered risky? If so, why?"

08:01

And it looks like she has a high risk level now,

08:03

but we need to find out more details.

08:06

So I'll prompt Copilot with a forward slash

08:08

to use a security-specific skill to generate

08:12

and run Defender hunting queries.

08:14

From the hunt, it's clear there is a ransomware event,

08:17

and lateral movement is occurring within Woodgrove.

08:20

We need to correlate it now with an incident

08:22

to see it in aggregate.

08:23

We can do that by checking for security incidents

08:26

on the same day, so I'll enter that prompt for that day.

08:29

Now, I'll expand the response,

08:31

and from the top line, I can correlate the alerts

08:33

with incident 1-9-3-8-8.

08:36

So now, I can simply ask for a summary of this incident.

08:39

I can assess everything captured by Defender

08:42

as well as anything related to the response process.

08:45

And I now know it's a potential

08:47

human-operated ransomware attack, and this is bad.

08:50

- Right, and this is a big deal

08:51

because all this went pretty quickly,

08:53

which is a huge advantage,

08:54

especially when you're trying trying to contain a threat.

08:56

- Yes, Security Copilot

08:57

can speed up investigation significantly.

09:00

In fact, to save a little more time showing the rest

09:03

of the investigation and also the statefulness of it,

09:06

I'll move to one that I've previously run.

09:08

Here's the incident we just looked up.

09:10

Beyond the severity level, we can also see

09:12

when the incident was first detected, the alert generation,

09:16

and a bunch of other information.

09:18

There are associated devices, threat actors, protocols used,

09:21

processes, and login attempts from our user, Lynne.

09:24

It tells me the investigation actions taken already

09:27

and some remediation actions taken

09:28

with real-time attack disruption

09:31

to automatically contain the threat.

09:33

And continuing on, I prompted it for associated entities.

09:36

It provided more devices, users, and IPs.

09:39

Then to start the remediation, I asked it

09:42

to generate a PowerShell script

09:43

to go check on the state of the device's SMB configuration,

09:47

which in our case was used

09:49

to move laterally between systems.

09:51

- And the script generation here is super-useful.

09:52

because when I write scripts,

09:53

it's always in short-term memory only,

09:55

so I have to look it up either in reference materials

09:58

and command line help, maybe ping Jeffrey Snover,

10:00

and then it kind of exits out the other side of my head.

10:02

- Yeah, my algebra teacher

10:04

had a similar complaint about my short-term memory.

10:06

But you're right, Security Copilot

10:08

can now solve the short-term memory problem.

10:11

Now, let's go and focus on the initial machine compromised.

10:14

Here, I used another skill to find host name access records

10:18

for the device in question, and it found one access record.

10:21

So we saw the lateral movement and a primary refresh token

10:24

which generated along the way.

10:26

Here I've generated a hunting query using Microsoft Sentinel

10:29

to figure out how the attacker did it

10:31

and look for security events associated with the IP address

10:35

on the day of the account lockout.

10:37

Security Copilot generated a Kusto Query Language,

10:40

or KQL, statement for me.

10:41

Then it runs that query for me here too.

10:44

All of this helps me understand the level

10:46

of attack infiltration across my network,

10:48

and next, I can move on to the devices associated

10:51

with our user, Lynne.

10:53

Here I've checked if the PARKCITY Win10S device

10:57

was compliant and it knew

10:58

where to pull the device information.

11:00

In this case, it's Intune.

11:02

It looks like the device was non-compliant,

11:04

failing to meet a Defender for Endpoint policy.

11:07

I don't work in the IT side of the house,

11:09

so next, I asked it for more information

11:12

about what the policy does

11:13

and why the device isn't compliant.

11:16

Looks like the device was not within the group scope

11:18

for the app policy assignment,

11:20

and as a result, the device was exposed

11:22

and became an attack target.

11:23

- And this really shows how easy it is, then,

11:25

to continue that investigation

11:26

maybe in areas where you're not an expert.

11:28

So what's the next step?

11:29

- Well, that's the great thing about Security Copilot,

11:31

is you don't have to be an expert to get expert advice.

11:35

And let's dive into Threat Intelligence,

11:37

in this case to understand the techniques in use

11:39

by the actor and other entry points they could exploit.

11:43

Our threat actor named from the incident summary

11:44

was pretty memorable for me,

11:46

so I prompted Security Copilot for some information

11:49

about the sea cow of threat actor groups, Manatee Tempest.

11:53

And this response, summary aside,

11:54

is the insight into different techniques used for exploits.

11:57

It's likely Lynne fell victim to a drive-by download.

12:00

But more importantly, what I learned

12:02

is that I need to rally my security organization

12:05

around analysis of any Cobalt Strike

12:07

or Mythic payloads placed in my environment.

12:10

And as an analyst, a lot of my time

12:12

is spent writing summary reports for people

12:14

who wouldn't be as deep as I am on an incident like this.

12:18

So I prompted Security Copilot

12:19

to provide a non-technical executive level summary

12:22

for our company leadership.

12:24

And using the session context,

12:26

it generated a thorough report

12:28

that's pretty easy to understand.

12:30

And again, just to highlight the transparency here,

12:32

if I expand the steps it took, then look at the first one,

12:36

you can see what process the orchestrator used

12:38

to develop a plan, gathered context from the session,

12:41

then determined which skills to use

12:43

as well as the rest of the logic and prompt details

12:46

that are presented to the fine-tuned LLM

12:48

to generate our response.

12:50

When finished, from here, I can download

12:53

and export it to a Word doc, Mail,

12:55

or just copy it to my clipboard.

12:57

And beyond high-level reports,

12:59

Copilot can even help generate more immediate summaries

13:02

for SecOp teams like pin boards.

13:04

As I was going, I selected the turns of my investigation

13:07

I wanted to highlight later using pins,

13:10

then used Copilot to generate a pin board summary

13:13

that I can share with my team

13:15

so that any new members joining

13:16

can quickly get up to speed on the work I've already done

13:19

without duplicating effort.

13:21

All of the prompts are saved to a stateful session,

13:24

and the entire investigation is shared

13:26

with all the context, including our pin board.

13:29

- And every phase of the investigation was sped up using

13:32

all the grounding data that was pulled

13:33

from quite a few different connected services,

13:35

for more context.

13:36

That said, though, in this case,

13:37

Lynne actually called the support desk,

13:38

which triggered your investigation.

13:41

So what would happen if this was maybe part of an incident?

13:43

- Well, that's actually a huge part of Security Copilot.

13:45

We've also built integrated experiences

13:47

across different Microsoft admin portals

13:50

to help save you time,

13:51

and this goes beyond security analyst roles too.

13:54

First, and to answer your question, in Microsoft Defender,

13:57

I have the incident number from before open here.

14:00

In the Security Copilot sidebar,

14:02

each incident automatically gets a generated summary,

14:05

and many of the standalone capabilities I showed before

14:07

can be done in context.

14:09

As you investigate alerts, it can analyze scripts

14:12

and commands in place like this one.

14:14

And in Advanced Hunting, you can use natural language

14:17

to author KQL queries with Security Copilot.

14:20

Then beyond Microsoft Defender, let me give you a quick look

14:23

at other embedded Copilot experiences that we have.

14:26

For endpoint admins, Security Copilot in Microsoft Intune

14:30

helps simplify policy management

14:32

so you can generate policies using natural language prompts,

14:36

find out more about settings, options, and their impacts,

14:39

and pull up critical details about managed devices.

14:42

If you're an identity admin,

14:44

Security Copilot in Microsoft Entra

14:46

will let you use the natural language to ask about users,

14:50

groups, sign-ins, and permissions

14:52

to instantaneously get a risk summary

14:55

as well as steps to remediate

14:57

and guidance for each identity at risk.

15:00

And in ID Governance, it can help you

15:02

to create a lifecycle workflow to streamline the process

15:06

to automate common task.

15:08

And one more, here's the experience for data security admins

15:11

in Microsoft Purview,

15:13

where Security Copilot with data loss prevention alerts

15:16

will quickly generate insights

15:17

about data and file activities.

15:20

And when used with Insider Risk Management,

15:23

alert summaries, find details about high-risk users

15:26

and the related data exfiltration activities

15:29

to help you respond fast.

15:31

And there are more embedded experiences to look forward to.

15:33

Security Copilot will also be integrated

15:35

with Microsoft Defender for Cloud and other plugins soon.

15:39

- So you can stay in the context, then,

15:40

of the tools that you use every day.

15:42

So for anyone who's watching right now

15:44

looking to get started, what do you recommend?

15:46

- If you're looking at options to use generative AI

15:48

with your security practices,

15:50

join our early access program at aka.ms/SecurityCopilot,

15:56

and you can even help shape what Security Copilot can do.

15:59

- Thanks so much, Ryan, for showing us

16:00

what Security Copilot can do to help us investigate

16:02

and respond to incidents using generative AI.

16:06

Of course, to stay up to date with all the latest tech,

16:08

be sure to subscribe to Mechanics, and thanks for watching.

16:10

(music)