Microsoft Copilot for Security: 5 use cases
Copilot for Security can assist security pros -- from managers and CISOs to incident responders and SOC members -- in maintaining security posture and addressing security gaps.
Microsoft officially launched Copilot for Security, its generative AI tool for cybersecurity teams, in April 2024, following a limited release the previous year.
Designed to augment enterprise security teams to efficiently manage cybersecurity programs, the GenAI chatbot comes at a time when the skills gap is rampant and staffing shortages abound.
Let's take an introductory look at the tool to explore how CISOs and their teams might use Copilot for Security to gain efficiencies within their organization's cybersecurity risk management program.
What is Microsoft Copilot for Security?
Microsoft Copilot for Security offers a tailored GenAI experience to security professionals. A targeted product within Microsoft Copilot, the company's generic AI assistant, Copilot for Security has additional security training to deliver more specific results to solve security problems, such as triaging active incidents, analyzing malicious code and reverse-engineering attacks.
Copilot for Security, which uses OpenAI technology, can supercharge an organization's program by enabling teams to quickly become power users of their networks. It uses a simple chat interface to give the power of GenAI to users with the backing of a mountain of security data collected by Microsoft.
Features include the following:
- Integrates with other Microsoft Security products, including Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, Microsoft Defender Threat Intelligence, Microsoft Purview and Microsoft Defender External Attack Surface Management.
- Accessible as a standalone portal or as an embedded tool within other products.
- Uses natural language processing to synthesize complex technical data into straightforward responses and recommendations.
- Gives users the ability to create and save custom prompts.
- Provides usage reports with insights into how teams can more effectively use Copilot.
- Processes and responds to prompts in eight languages, with user interface support for 25 languages.
- Offers pay-as-you-go, consumption-based pricing model.
- In preview: Ingests and learns from proprietary content, such as internal security policies and incident response documentation, to allow searches and queries specific to a given organization.
Security for Copilot use cases
NIST's Cybersecurity Framework is the de facto cybersecurity risk management framework for many organizations. To that end, let's use the CSF's five main functions -- identify, protect, detect, respond, recover -- to show the breadth of coverage Copilot for Security can offer.
Note, these use cases are not exhaustive and are meant as data points for CISOs evaluating products in their cybersecurity risk management programs. Every organization is different. From risk tolerances to technology adoption appetite, it is incumbent upon each organization to understand its goals and objectives while also finding tools to reach those objectives.
Given that GenAI is a nascent technology, there are inherent risks to using it. If its use cases fit your organization and risk tolerances, however, Microsoft Copilot for Security might be able to streamline your workflows and assist with tasks for security teams, enabling them to focus on other tasks that require their attention.
1. Identify use case: Asset management
A key question for any CISO is "What do I have to secure?" Knowing which physical, virtual and cloud-based assets are on a network -- from endpoints to IoT sensors to OSes to users -- is crucial to protecting those assets.
With Copilot for Security, a simple question yields a valuable answer.
If an organization has its data in Microsoft Intune, a simple question of "What devices are on my network?" delivers a response of the organization's own data analyzed by the Copilot for Security platform and delivered in an easy-to-read format.
This use case does not require training on specialized query languages or tools to get the quick value of network comprehension. From there, teams can apply business logic to further drive actions on an organization's network, namely in terms of vulnerability management, incident triage and communications.
Such reports can also, in conjunction with other network activity reports, uncover instances of shadow IT and help security teams detect unauthorized devices connecting to the network.
2. Protect use case: Vulnerability management
While it is important to know what devices are on a network, it is just as important to know the potential vulnerabilities of those devices. This helps determine if additional security measures are required.
A lot of information is needed to consistently address vulnerabilities in a repeatable fashion. Copilot for Security comes with prebuilt "promptbooks" -- a concept similar to security playbooks. Users can also build their own custom promptbooks. These series of prompts enable security professionals to reuse interactions with the tool for different scenarios without having to rewrite content from scratch.
This capability drastically reduces the amount of time needed to complete repeated tasks while also helping security teams consider how to manage processes in a modular and consistent manner.
A good promptbook option is for vulnerability management. To create this, first design prompts that intake CVE IDs. Ask Security for Copilot for information about the CVE -- for example, affected systems, versions and other key data.
Teams can then feed this information into another prompt that asks the AI to assess the impact of that CVE against known assets on the network.
3. Detect use case: Incident triage
Promptbooks can also handle other labor- and data-intensive tasks. For example, many teams face a mountain of alerts and system messages from a plethora of security tools and products. Effectively managing the sheer volume of these demands is overwhelming.
Use Copilot for Security promptbooks to take a data pipeline approach to the problem. Create a promptbook that filters out alerts from incidents that don't meet certain criteria using a common language.
The promptbook pipeline could look something like the following:
- Identify affected devices.
- Identify users of those devices.
- Analyze the security posture of those devices. For example, is MFA enabled? What is the configuration status?
- Determine network impact.
- Give the incident an overall impact score.
- Summarize the results in an easy-to-read report.
This use case enables security teams to gain efficiency in their daily tasks while not being bombarded by myriad alerts.
4. Respond use case: Taking action
Security teams can use information from Copilot to respond in action. For example, in the previously discussed vulnerability management use case, teams can use the CVE data Copilot reported to ask the AI for actions to take to mitigate the vulnerability specifically on the affected assets on their organization's network. This use case quickly answers the question of "Are we covered for a given vulnerability?" using the organization's own data and assists with incident response actions.
While Copilot doesn't offer automated remediations, it is possible to build pipelines that perform automated actions using output Copilot response steps as input.
5. Recover use case: Communications
As mentioned, security admins can create a summary or easy-to-read report for internal and external communications for incident response and recovery.
During or after a security incident, communications are key. Prompt Copilot for Security to write a summary of the incident but be sure to redact any key details that might give adversaries an edge if they attack the network again. Sanitizing the communications enables an organization to maintain its security posture while also providing timely incident information to the public for reputation management.
Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.
