Ignite 2024: Transforming Security with Microsoft Security Copilot

Today’s security and IT teams are working within increasingly complex and fragmented environments. They are constantly balancing a broad and varied tech landscape, a fast-changing regulatory environment, and increasingly sophisticated cyberthreats, while challenged with a global cybersecurity skills shortage, data overload, and the risk of missing critical vulnerabilities - slowing response times, and ultimately leading to security gaps. The evolving threat landscape has highlighted the critical role that AI can play in organizations’ security efforts. 

To address these growing challenges, Microsoft introduced Microsoft Security Copilot (formerly known as Microsoft Copilot for Security) last April, enabling customers to use generative AI-powered assistance for daily operations in security and IT. Security Copilot is built to enhance every facet of an organization’s security operations across identities, devices, data, clouds, and apps. It turns global threat intelligence, industry best practices, and organizations’ own data into actionable insights to help teams catch what others miss, respond faster, and strengthen team expertise.  

Since Security Copilot has been generally available, customers and partners have discovered powerful applications for the tool. We've seen customers like Eastman, a specialty materials manufacturer, have experienced significant benefits, including cost savings, improved threat detection, and junior staff upskilling, with Security Copilot enabling faster KQL learning and reducing technical workloads. 

“I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster. That helps me to make a better decision and respond faster to an attacker.”
- David Yates, Senior Cybersecurity Analyst, Eastman

Supporting this impact, new research from Microsoft -- conducted between March to August 2024 -- showed a 30% reduction in security incident mean time to resolution (MTTR) for security incidents three months post-adoption of Security Copilot. Given that recent estimates suggest analysts spend, on average, 2.7 hours per day resolving incidents costing $3.3 billion in the US alone, these results highlight the significant potential time and cost savings that Security Copilot can provide in security operations. Read the full research paper here.

What’s New at Ignite 2024 

Just seven months after its general availability, Security Copilot continues to introduce new feature enhancements that strengthen its position as the leading gen-AI tool for security. The latest exciting advancements extend Security Copilot's capabilities beyond SOC teams, empowering data, identity, and IT teams to leverage powerful AI-driven insights and automation. 

Security Copilot Beyond the SOC 

Figure 1: Data Security Posture Management

Data Security: Copilot in Purview  

Data security admins now have comprehensive, AI-powered visibility with new features, in public preview, for Copilot in Purview -- enabling faster, more accurate risk analysis across their data landscape. With Data Security Posture Management (DSPM), admins receive natural language insights on risks based on suggested or customizable prompts to prioritize and deepen their investigations. Copilot simplifies Data Loss Prevention (DLP) policy analysis by providing easy-to-read summaries and identifying DLP policy gaps, while eDiscovery case summaries streamline case management so users can quickly access natural language summaries of eDiscovery cases, and searches. New DLP investigative prompts and the Copilot-powered Knowledge Hub further enhance data security team capabilities, providing actionable insights and guidance that assist admins to manage risks and upskill teams of all experience levels effectively.

Identity & Access: Copilot in Entra 

With Security Copilot embedded in Microsoft Entra available in preview, identity admins can simplify their workflows, reduce administrative overload, and improve decision-making efficiency, from directly within the Entra portal. Copilot in Entra offers identity protection with AI-driven risk detection, insights, and mitigation capabilities, allowing identity and security teams to stay ahead of potential threats. With automated data gathering and correlation, admins can easily identify and respond to suspicious activity involving high-risk users, applications, and workload identities. It also allows admins to quickly troubleshoot access failures, offering automation and actionable insights around sign-in logs, user details, group details, audit logs, and diagnostic logs. Copilot transforms this complex data into natural language summaries, offering recommendations on how to quickly reduce risk and resolve access issues, even in highly sensitive situations.  

Endpoint Management: Copilot in Intune   

IT admins can now leverage expanded capabilities for Copilot in Intune, available in preview, to further reduce attack surface, improve IT efficiency, and streamline complex admin workflows. These new capabilities include support for investigating app elevation details and identifying potential signs of compromised apps before approving Endpoint Privilege Management requests. Copilot also assists with KQL query creation for single- and multi-device analysis, making it easier to retrieve device data—minimizing the need for admins to have deep KQL expertise. Additionally, Copilot in Intune expands to simplify update management with Windows Autopatch. This integration enables Copilot to support essential update tasks—from planning and troubleshooting to analyzing deployment outcomes—empowering IT teams to proactively address and resolve update issues. 

Empower Security Teams and Automate Security Tasks 

Innovations to enhance your SOC 

The latest Security Copilot innovations for SOC, now generally available, empower security analysts to investigate incidents with more actionable user insights and greater user control. The new Identity Summary provides a comprehensive overview of the user identity information for quicker identification and resolution of potential security threats. The improved Copilot side panel experience remembers its open or closed state across tab changes, allowing users to maintain their preferred setting in the embedded experience.  

Threat Intelligence 

A Unified Threat Intelligence (TI) Experience, now in public preview, offers a complete view of threats by integrating a wider range of threat intelligence sources, including CVE data and advanced internet data sets, to help security teams quickly understand the impact of threats on the organization. New out-of-the-box promptbooks, now generally available, leverage this expanded breadth of intelligence through guided experiences that simplify complex workflows and empower SOC and threat intel analysts to investigate and respond to threats faster and more effectively.  

Task Automation 

Customer feedback has indicated significant value in using Copilot for task automation via Logic Apps and promptbooks. Users are able to do this by sequencing and automating common tasks enriched by gen AI insights to streamline security operations -- for example, a security analyst could create a Logic App that leverages Copilot promptbooks to automate the examination of user-reported phishing emails and determine the likelihood of a phishing event. Now generally available, the Security Copilot Logic Apps connector allows SOC teams to integrate promptbooks directly from Logic Apps to simplify the configuration of automation workflows.  

Building on Enterprise Readiness 

In addition to enhancing embedded capabilities for Security Copilot, we’re excited to announce several new platform features that help organizations to integrate, automate, monitor, and scale their security programs more efficiently. By connecting to existing tools via integrations, Security Copilot can extend and bring more value to users. We are also introducing features that help customers with monitoring, providing them with visibility and control over their audits, access, and usage. 

Partner Ecosystem 

As part of our effort to provide customers with truly end-to-end security protection, we have prioritized building out our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. At Ignite, we are announcing the general availability of over 15 plug-ins across different categories including threat intelligence and device, network, and endpoint management.  

• Third-party Threat Intelligence plugins enable security teams to bring rich information about threat actors, indicators of compromise, tools, and vulnerabilities into Copilot, enabling them to gain a holistic view of threats, understand their impact, and receive recommendations and guidance on how to respond. New GA Threat Intelligence plugins include CrowdSec, Cybersixgill, Whoisfreaks, Reversing Labs Spectra Analyze, Reversing Labs Spectra Intelligence, CywareRespond, Intel 471, Forescout Vedere Labs, GreyNoise’s Enterprise plugin, GreyNoise’s Community plugin, and Darktrace. 

• Third-party Device, Network, and Identity plugins provide additional insights into device health and compliance, network traffic patterns, and user authentication activities. These integrations allow for a holistic view of the security landscape, enabling more effective monitoring and management of potential threats. Additionally, these plugins can help organizations enforce security policies, detect anomalies, and respond to incidents in a timely manner. New GA Device, Network, and Identity plugins include Red Canary, Netskope, Tanium, Silverfort, CyberArk, and Jamf. 

Additionally, new administrator controls for plugin management provide administrators with the ability to control which plugins can be enabled within their organizations. This feature provides more control and predictability of SCU consumption through plugins, helping organizations manage costs.  

New Platform Features  

We are also excited to introduce new platform features that would help Security Copilot customers with visibility, guidance, and access control. 

 An update to role-based access control (RBAC), now in preview, refines contributor role permissions by replacing the 'everyone' option with a 'recommended roles' bundle. This grants access to users with flagship roles in Entra, Intune, Purview, and the unified security operations platform, and will be the default setting for new tenants, preventing unintended access by users outside enabled groups. Additionally, the general availability of audit logs provides a comprehensive record of all security analyst and admin activities -- available through Purview Audit and UAL -- allowing organizations to detect and analyze interactions for compliance with regulatory requirements.  

Figure 2: Prompt Library

We are also announcing the preview of a new Prompt Library which provides prompts and promptbooks that may be used in Security Copilot. Customers who require more guidance in Copilot can leverage this library and filter by persona so they can easily find and use prompts and promptbooks that are most relevant to their role and tasks. Finally, the new Usage Dashboard, now generally available, offers detailed insights into your Security Compute Units (SCU) utilization with advanced filtering and a 90-day data timeframe, enabling data export into formatted Excel sheets for customizable analysis and better consumption management. 

Learn more about how your organization can benefit from Copilot 

Microsoft is dedicated to empowering customers with advanced security solutions that drive both robust protection and meaningful cost efficiencies across their security programs. This commitment is underscored by our adherence to industry leading standards like HITRUST, ISO 27001, ISO 27017, ISO 27018, and HIPAA, reflecting Microsoft's commitment to upholding the highest standards of security and data privacy for customers.  

Further demonstrating Microsoft’s commitment to deliver meaningful cost efficiencies and enhanced productivity across security programs, a recent Total Economic Impact study by Forrester Consulting highlights the significant ROI that organizations can achieve with Security Copilot. In a study of over 300 decision-makers, the implementation of Security Copilot resulted in an average 23-46.7% productivity gain for SecOps tasks, reduced risk of security breaches with a projected value between $546,000 and $1 million, and enabled cost efficiencies worth $86,000 to $257,000 per 3 years. Read the full study. 

Figure 3: Security Copilot Event Sessions @ Microsoft Ignite

To learn more about the exciting new features and explore how Security Copilot can enhance your organization’s security program, we invite you to connect with us at Microsoft Ignite. This is a great opportunity to engage with our experts, gain deeper insights, and see firsthand how Security Copilot can streamline your security operations. Join us at the Security Copilot sessions listed above, visit our Meet the Experts booth, or reach out for more information. Connect with us today to discover how Security Copilot can transform your security program and meet your evolving security needs.