How Microsoft Copilot for Security works

AI, Copilots & ChatGPT at Microsoft

15 Nov 202316:18

Summary

TLDRMicrosoft's Security Copilot is a groundbreaking AI assistant designed to enhance organizational security by leveraging generative AI. It integrates seamlessly with various Microsoft services, including Microsoft Defender XDR, Intune, Entra, and Purview, to streamline security tasks. The tool, augmented with cybersecurity expertise, offers a stateful experience for tracking investigations and provides a natural language interface to security data. Security Copilot can analyze scripts, generate informed responses, and even create reports with multi-step sequences using Promptbooks. It uses Low-Rank Adaptive fine-tuning (LoRA) to specialize the AI in cybersecurity, ensuring up-to-date threat intelligence. The tool accelerates incident investigation, automates security processes, and aids in generating executive summaries, making it an invaluable asset for security teams and analysts.

Takeaways

🚀 **Microsoft's Security Copilot** is a new AI assistant designed to help organizations with security-related tasks using generative AI.
🧩 **Integration with Microsoft Services**: Security Copilot is integrated with various Microsoft services like Microsoft Defender XDR, Intune, Entra, and Purview.
💡 **Stateful Experience**: Unlike other Copilots, Security Copilot remembers previous sessions to allow for easier return to ongoing investigations.
🔍 **Enhanced Language Model**: It uses an augmented GPT model with security skills, improving its ability to work with security signals in the user's environment.
📌 **Managed Plugins**: Security Copilot offers a range of managed plugins for identity, device endpoints, incidents, threat intelligence, and data security.
📈 **Data Enrichment**: The assistant uses data from its plugins to enrich the investigation process and generate informed responses.
🔧 **Automated Security Processes**: It can automate multi-step security processes using Promptbooks, as demonstrated with the analysis of a suspicious PowerShell script.
🆚 **Comparison to Unmodified GPT**: Security Copilot outperforms an unmodified GPT model due to its fine-tuning and grounding in security data, as shown in the CVE and domain lookup examples.
🛠️ **Fine-Tuning and Specialization**: Security Copilot employs methods like LoRA fine-tuning to specialize the LLM for cybersecurity, making it more effective than general AI models.
⚙️ **Orchestration Engine**: The assistant has a built-in engine that retrieves, ranks, and grounds data for the LLM, ensuring responses are informed and within token limits.
📝 **Investigation Workflow**: Security Copilot aids in the entire incident investigation process, from initial queries to generating reports, and it maintains a stateful session for continuity.
📊 **Reporting and Summaries**: It can generate both technical and non-technical summaries, making complex security incidents understandable for various stakeholders.