Generative AI: Shifting the Paradigm with Copilot for Security

In the first article of the Generative AI series, we deep dived into the world of Generative AI & LLMs and explored strategies for securing and preparing the IT infrastructure in anticipation for Copilot for Microsoft 365. In this article of the series, we will pivot our focus and look at Generative AI from a different angle: Using Generative AI to accelerate threat hunting and incident response operations with Copilot for Security.

With each passing day, the sophistication and frequency of cyber attacks continue to escalate, posing unprecedented challenges to individuals, businesses, and governments worldwide. From disruptive ransomware attacks to covert espionage campaigns, attacks are becoming more & complex and harder to detect. Consequently, Security Operations Center teams are finding themselves increasingly stretched with overwhelming workloads that is causing a reduction in efficiency and effectiveness.

With that being said, staying ahead of the curve is not just a competitive advantage—it's a must have in today's evolving threat landscape; and understanding the shifting tactics and techniques employed by cybercriminals is crucial for developing effective defense strategies.

Enter Generative AI, a revolutionary technology poised to shift the paradigm of how we approach cyber defense and redefine the very foundations of incident response.

In this article of the Gen AI series, we will be deep diving into the world of Copilot for Security and showcase how it can be leveraged by threat hunters to accelerate threat hunting and help the security teams be more effective and efficient at all the roles they play.

Copilots, Copilots everywhere ..

Before diving into Copilot for security, it's essential to address any potential confusion it has with its older brother, Copilot for Microsoft 365. It's easy to mistake these two products, and it's crucial to understand the difference between the two:

Copilot for Microsoft 365 is integrated within the Microsoft 365 productivity suite, whereas Copilot for security operates independently with its own integrations in the Microsoft security ecosystem, has its own use cases and its own licensing model.

Here's a breakdown of the main differences:

Copilot for Security, What is it and how does it work?

Microsoft Copilot for Security is an innovative AI-powered cybersecurity solution designed to empower security teams in defending against cyber threats. By combining the advanced GPT-4 language model from OpenAI with Microsoft’s specialized security capabilities, Copilot enhances threat hunting efficiency and incident response.

Microsoft Copilot for Security doesn’t aim to replace threat hunters; instead, it acts as their trusted ally. By streamlining day-to-day tasks and automating repetitive activities, Copilot liberates valuable time for security professionals and allows them to focus on strategic, high-impact work, fortifying the organization’s defenses and proactively safeguarding against cyber threats

So how does it do that, you may ask?

From a backend standpoint, Copilot for Security encompasses three core components:

• Microsoft Security Model Integration: This component incorporates the Microsoft security model, enriching the product with a wealth of Microsoft threat intelligence and leveraging over 65 trillion security signals from Microsoft's network.
• Integration with Microsoft Products and 3rd party tools: Seamlessly syncing all alerts and critical information regarding potential incidents, this feature ensures a cohesive ecosystem where alerts and data flow are all analyzed in order to provide a cohesive and holistic view of the security incidents and investigations.
• GPT-4 LLM Model: . This advanced model enhances threat detection and response capabilities by leveraging state-of-the-art security-trained algorithms and techniques.

Copilot for Security — Under the Hood

• From an product perspective, Copilot for Security is a SaaS product; however, what happens the backend after a user prompt is quite interesting.

1. The process starts when a user submits a prompt in the prompt bar. Once the user submits their prompt, it's sent to the Copilot backend referred to as the orchestrator.
2. Copilot for Security bundles the user prompt and a full list of Copilot capabilities for the enabled plugins and then sends it to OpenAI with the request to make a plan for fulfilling the user’s request.
3. OpenAI uses its advanced LLM to match the prompt with the available capabilities a creates a plan for fulfilling the user’s request.
4. Copilot for Security's orchestrator executes the plan by running the code for the selected plugins/capabilities and gathers the right information and to take action.
5. The native or third-party apps gather information and execute actions and sends the response back to Copilot for Security.
6. The orchestrator receives the response but before final response can be sent to the user, the orchestrator bundles that response with the original prompt, and sends it back to OpenAI.
7. OpenAI uses the power of its advanced LLM to compose a response using language that makes sense to a human being.
8. That response from OpenAI is sent back to Copilot for Security for review by Microsoft’s responsible AI models that look for anything malicious, hate speech, etc.
9. The user receives the response from Copilot for Security.

Added Value of Copilot for Security

According to a study that targeted to 'junior SOC analysts', Copilot for Security demonstrated 44 percent more accurate responses and were 26 percent faster across all tasks.

Other interesting findings from the same study:

• 86 percent reported that Security Copilot helped them improve the quality of their work.?
• 83 percent stated that Security Copilot reduced the effort needed to complete the task.?
• 86 percent said that Security Copilot made them more productive.?
• 90 percent expressed their desire to use Security Copilot next time they do the same task.?

To Summarize..

Copilot for Security serves as a 'Swiss Knife' solution that not only addresses the immediate challenges faced by security teams but also provides a strategic advantage in navigating the ever-evolving threat landscape. By harnessing latest cutting edge Generative AI GPT-4 technology, Copilot for Security functions as a force multiplier, amplifying the effectiveness of security operations teams.

Moreover, Copilot plays a pivotal role in empowering less experienced staff members within the security team and addresses the current talent shortage the cybersecurity world is facing. Through its easy to use interface, guided promptbooks, and recommendations, Copilot for Security provides invaluable support to junior analysts, enabling them to make informed decisions and take appropriate actions even in complex security scenarios.

Sources:

• Describe how Microsoft Copilot for Security processes prompt requests
• Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite
• Microsoft Security Copilot and NIST 800-171