Copilot for Security: Your AI Partner 🤖

What is Copilot for Security?

Microsoft Copilot for Security shatters traditional security software limitations. It leverages cutting-edge large language models (LLMs) from Open AI, along with vast security data and threat intelligence (encompassing a staggering 78 trillion daily security signals), to empower security teams with unmatched speed and scale.

So that’s super-clear, AI helps us humans, so we don’t have to become robots.

But this is the only confusion I have 😶 is it #c4s or #cfs ?

Features

Copilot for Security simplifies several key security tasks through the power of generative AI.

Use CaseDescriptionBenefit
Incident SummarizationLeverages AI to condense complex security alerts into clear, actionable summaries.Improves communication, reduces response times, and streamlines decision-making.
Impact AnalysisAnalyzes security incidents using AI to assess potential impact.Provides insights into affected systems and data for effective prioritization of response efforts.
Reverse Engineering of ScriptsEliminates manual work by automatically translating complex scripts into natural language with explanations.Enables all analysts to understand attacker actions, extract indicators of compromise, and link them to relevant entities.
Guided ResponseOffers step-by-step guidance for incident response, including triage, investigation, containment, and remediation.Provides actionable steps with relevant deep links, allowing for faster and more effective response.

Security Copilot: Standalone vs. Embedded Experiences

Security Copilot empowers not only veteran security analysts, but also new members of the security and IT team. It offers two distinct ways to leverage its capabilities: through an immersive standalone portal or as embedded experiences within existing security products. The choice between these options depends on your team’s preference:

  • Centralized View (Standalone): Ideal for teams who prioritize a holistic view. The standalone portal allows pulling data from multiple tools into one location, facilitating faster incident troubleshooting and remediation within Security Copilot. This approach fosters enriched cross-product guidance by providing a broader context for investigations.
  • Seamless Integration (Embedded): This option emphasizes familiarity. Security Copilot guidance is seamlessly integrated within the existing security products your team already uses, providing a familiar and intuitive experience. This allows them to leverage Copilot’s assistance without switching between different applications.

So there is two interfaces for it, check ✅

Permissions

By default, Everyone has Copilot contributor access. Consider replacing this broad access with specific users or groups.

CapabilityCopilot ownerCopilot contributor
Create sessionsYesYes
Manage personal custom pluginsYesDefault No
Allow contributors to manage personal custom pluginsYesNo
Allow contributors to publish custom plugins for the tenantYesNo
Upload filesYesYes
Run promptbooksYesYes
Manage personal promptbooksYesYes
Share promptbooks with tenantYesYes
Update data sharing and feedback optionsYesNo
Capacity managementYes*No
Data evaluationYesNo
View usage dashboardYesNo
Select languageYesYes

Be sure to check them permissions admins! ✅

Custom plugins

Every Copilot for Security plugin requires a YAML or JSON formatted manifest file (for example: plugin.yaml or plugin.json) which describes metadata about the skill set and how to invoke the skills.

A manifest consists of two required top level keys, Descriptor and SkillGroups, each with sub-key or value pairs, and required/optional fields depending on the skill format.

Prompt requests flow

When you ask Copilot a question (called a prompt), it works its magic to deliver the most relevant and helpful answer. The following diagram breaks down this process to show you what happens behind the scenes.

And to create accurate prompts, the machine works better with good inputs! ✅

Learning Resources

Ah, yes Rod has always excellent sources for us to upskill our game.

And SOCAutomators with the help from Andrea

If you want upskill the game with LLM and Copilot for Security, be sure to check The Circle Community which is run by Elli

And even more from Learn

Don’t forget those videos, see here for Tanium 🤖

Add that automation with them plugins ✅

Pricing and Considerations

Consumption-Based Model: Copilot for Security offers a pay-as-you-go pricing structure based on usage, at approximately $4 per SCU/hr (Security Compute Unit).

Minimum Annual Cost: To ensure continuous operation, a minimum annual cost of $35,040 USD applies or maybe not! 🔥

Read this article from Rogier

And this from Pierre to learn how to Deploy and Destroy (Love it!) with Bicep and GitHub Actions

Human-AI Collaboration Focus: Copilot for Security functions as a partner, augmenting human capabilities rather than replacing them. It’s a robot, so you don’t have to be.

What is a SCU?

Copilot for Security utilizes Security Compute Units (SCUs) to gauge the computational resources required for specific workloads. An SCU roughly translates to processing around ten workflows daily. The pricing structure for SCUs remains consistent across all regions, encompassing both the standalone and embedded deployment options.

Benefits of Copilot for Security

  • Enhanced Efficiency: Experience up to a 26% reduction in response times, as reported in randomized control trials.
  • Improved Threat Hunting: Gain valuable AI-powered recommendations to proactively identify threats.
  • Empowered Security Teams: Free up senior analysts for strategic tasks while equipping junior analysts with advanced capabilities.
  • Broad Applicability: Copilot for Security extends its value beyond SOC analysts, benefiting a wider range of security professionals.

Further Exploration

Randomized Controlled Trial Results: Delve into the findings of the randomized controlled trial for Copilot for Security https://www.microsoft.com/en-us/security/blog/2023/12/06/microsoft-security-copilot-drives-new-product-integrations-at-microsoft-ignite-to-empower-security-and-it-teams/

Integrations: Discover how Copilot for Security seamlessly integrates with various Microsoft security products for a holistic defense strategy:

Benefits Beyond SOC Analysts

While SOC analysts significantly benefit from Copilot for Security, its value extends to a broader range of security professionals:

Read here for the full documentation from Learn

ATLAS Matrix

You all know of MITRE ATT&CK® framework but have you heard of Atlas, no? Well let me introduce it to you.

ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of adversary tactics and techniques against Al-enabled systems based on real-world attack observations and realistic demonstrations from Al red teams and security groups.

Closure

By leveraging Copilot for Security, security teams can significantly enhance their efficiency, effectiveness, and overall security posture.

Copilot for Security isn’t just a tool; it’s an intelligent partner that augments human expertise, allowing your security team to operate at an unprecedented level of efficiency and effectiveness 🤖

Even after all this, the only confusion I have 😶 is the Hashtag #c4s or #cfs ?

Author: Harri Jaakkonen