First announced in March 2023, Microsoft Security Copilot—Microsoft’s first generative AI security product—has sparked major interest. The widespread enthusiasm was on full display after announcing our Early Access Program in October 2023 and sharing our incredible Security Copilot innovations at Microsoft Ignite in November 2023. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases and into promising areas that can dramatically improve the day-to-day work of security teams, like incident response, risk assessment, and identity troubleshooting. And we’re just getting started with exploring how this solution can most benefit organizations.
For those that have experienced Security Copilot, the response has been overwhelmingly positive. In a randomized control trial, participants who tried it improved their security response time by as much as 26%.1 For security novices with basic IT skills, the analysts using Security Copilot performed significantly better than members of the control group. Not only did analysts accomplish their work faster with Security Copilot, but they also expressed more confidence in the output. 86% of participants said Security Copilot helped them improve the quality of their work, and 90% noted they want Security Copilot the next time they do the same task. 1
“Before Security Copilot, our analysts spent precious time capturing and consolidating attack data and running it through copywrite reviews before publishing. Now with Security Copilot, we can reduce that time by 90%, allowing them to start their next case.”—Brian Hooper, Principal Research Lead, Microsoft Defender Experts
Similarly, our security analysts from Microsoft Defender Experts are experiencing significant efficiencies in their work. Brian Hooper, a Principal Research Lead for Defender Experts, reports time savings of 90% in capturing attack data, consolidating it into incident summaries, and completing copywrite reviews.
Early insights and reviews have made the Microsoft Ignite announcements of Security Copilot’s capabilities and integrations even more exciting. Security Copilot has expanded beyond the security operations center (SOC) with new use cases and product experiences to help more security and IT teams protect at machine speed and scale.
Use cases for Microsoft Security Copilot
Security Copilot will help IT and security professionals strengthen their skills, collaborate more effectively, and catch attacks that might otherwise be missed. Security Copilot integrates across Microsoft’s security, identity, and compliance experiences to deliver greater end-to-end value of your security tools.
The new use cases for Security Copilot now extend beyond investigations in your security operations center to support various security necessities for organizations seeking to strengthen their security against cyberthreats. We tailored Security Copilot to be interoperable to meet the top cybersecurity needs of the enterprise—device management, identity management, data security, and cloud security.
- Device management: The evolving device landscape is driving IT complexity and risk of app and policy misconfigurations—and IT administrators are responsible for a critical security role by managing devices. Security Copilot integrates with Microsoft Intune to generate policies, analyze drafts before deployment, and provide “what-if” analyses that draw attention to any potential security or productivity risks.
- Identity management: Password-based attacks have increased dramatically in the last year, and new attack techniques are now trying to circumvent multifactor authentication. To strengthen your defenses against identity compromise, Security Copilot integrates with Microsoft Entra to assist in investigating identity risks and help with troubleshooting daily identity tasks, such as why a sign-in required multifactor authentication or why a user’s risk level increased.
- Data security: Data security and compliance teams review a multitude of complex and diverse alerts spread across multiple security tools, each alert containing a wealth of rich insights. To make managing data protection easier, Security Copilot integrates with Microsoft Purview to summarize capabilities for Microsoft Purview Data Loss Prevention, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, and Microsoft Purview Communication Compliance workflows to make sense of profuse and diverse data, accelerate investigation and response times, and enable analysts at all levels to complete complex tasks with AI-powered intelligence.
- Cloud security: Maintaining a strong cloud security posture is a challenge for cybersecurity teams, as they face siloed visibility into risks and vulnerabilities across the application lifecycle, due to the rise of cloud-native development and multicloud environments. With Security Copilot and Microsoft Defender for Cloud integrated, security admins can identify critical risks to resources faster with guided risk exploration that summarizes risks and enriches investigations with contextual insights such as critical vulnerabilities, sensitive data, and lateral movement.
- External attack surface management: Tracking assets and their vulnerabilities can be time-consuming for security teams as they determine which assets pose a risk to the organization. New capabilities integrated with Microsoft Defender External Attack Surface Management give security teams insights into their external attack surface anywhere the assets are hosted, giving them confidence in the outcomes.
Watch this video to see these Security Copilot integrations in action.
Standalone versus embedded experiences for Security Copilot
While Security Copilot extends capabilities to new members of the security and IT teams, it has also expanded how many of these capabilities are experienced. For diverse organizations seeking various ways to summarize insights and remediate or troubleshoot investigations, Security Copilot can be leveraged in an immersive standalone portal or embedded intuitively into existing familiar security products. Both experiences are available to you, and choosing which to use is based on what’s most important to users: pulling data from multiple tools into one place or working from the product experience they already know.
- Standalone: Helps teams gain a broader context to troubleshoot and remediate incidents faster within Security Copilot itself, with all of these use cases enabling enriched cross-product guidance.
- Embedded: Offers the intuitive experience of getting Security Copilot guidance natively within the products that your team members already work from and are familiar with.
Figure 1. Security Copilot standalone experience.
Figure 2. Security Copilot embedded experience.
Security Copilot embedded experiences in action
While in early access, Security Copilot is expanding into embedded experiences across various Microsoft Security solutions. Each embedded experience entered private preview as announced during the Microsoft Ignite 2023 keynote. Here’s where and how Security Copilot is embedding into our existing security products:
- The Unified Security Operations Platform with Microsoft Sentinel and Microsoft Defender XDR: Capabilities include guided response for end-to-end incident investigation and response, natural language Kusto Query Language (KQL) for threat hunting, and expert code analysis.
- Microsoft Intune: Capabilities include policy creation and deployment with “what-if” and impact assessment to ease troubleshooting. Generative AI offers customized guidance so you can create and deploy policies faster. You also gain three new Intune solutions: Managed PKI, Enterprise App Management, and Advanced Analytics.
- Microsoft Entra: Capabilities include risk investigation and troubleshooting for identity scenarios. This enables you to identify gaps in Conditional Access coverage, investigate risky users, and configure policies and workflows.
- Microsoft Purview: Capabilities include the ability to summarize data loss prevention and insider risk incidents. This helps accelerate data security and compliance investigations and gives you a comprehensive risk view.
- Microsoft Defender for Cloud: Capabilities include guided risk exploration to identify critical security concerns and guided remediation. The latter guidance includes recommendation summaries, step-by-step remediation actions, and scripts.
Try Security Copilot for yourself
The Security Copilot Early Access Program lets you try the latest in Microsoft Security’s generative AI solution and see how it integrates with your Microsoft Security tool set.2 Interest in the Security Copilot Early Access Program has been high with limited space still available. Reach out to your sales representative to get details on qualifications for early access.
Learn more about Microsoft Security Copilot.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Security Copilot randomized controlled trial (RCT) conducted by Microsoft Office of the Chief Economist, November 2023.
2Microsoft Security Copilot Early Access program includes Microsoft Defender Threat Intelligence at no additional cost and integrations with Microsoft Defender, Microsoft Sentinel, and Microsoft Intune.
from Microsoft Security Blog https://bit.ly/3uWUNRy