Microsoft Takes Security Copilot AI Assistant to the Next Level

Microsoft has announced it will expand access to its Security Copilot service — an artificial intelligence (AI) assistant for security operations centers (SoCs) based on GPT-4 — to a larger number of customers as well as some technology partners. The chatbot will enter its official "early-access preview" window in the fall, supplanting Microsoft's current private preview and adding some new functionality.

The version available now has incorporated user feedback and adds "promptbooks" — sequences of commonly used AI prompts to give security professionals a starting point in their analyses — as well as integration with common cybersecurity tools to streamline operations.

The goal is to make security teams more efficient, ease pressure due to the shortage of workers with security skills, and simplify typically complex security activities, says Chang Kawaguchi, vice president and AI security architect at Microsoft.

"Automation is a key to every security operations organization, and you need the ability ... to be creative in interacting with it," he says. "Part of why we're moving to the next stage [is] opening up to partners, so that we can start to integrate [with] the tools that customers are using in their SOCs every day."

Creating a Broader Ecosystem With Partners

The early-access preview will allow Microsoft cybersecurity partners to connect to Security Copilot and integrate the service into their tools as well as provide data back to the service.

"Defenders have many, many tools which they use to do their jobs today," Kawaguchi says. "What private preview users like about the product is that it brings together multiple systems, multiple tools they would otherwise have to use, whether it's a trouble-ticketing system, their SEIM, [Microsoft] Defender for Endpoint. By doing the sort of interaction in Copilot, you can do it from one place where all of that data comes together."

Microsoft would not disclose the timeline for when Security Copilot would become generally available to the public, nor would it talk about which partners have access to it or how many overall users it plans to have in the early-access preview.

"It's still a relatively constrained list, but it is going to be a much larger number," Kawaguchi says. "We're not ready to disclose time frames for GA, or general availability, but I expect that will very likely be the next step. But we're going to be guided by learning by customer and partner feedback, and so we'll do it when we're ready and when we believe that we've got the right feature set."

He adds, "We want some more scenarios, some more customers. We want partners involved. And as we see partners get their extensible configuration set up, I expect that we'll see more emergent scenarios, right, where customers find that those combinations work really, really well."

LLM-Based Security Assistants Proliferate

Microsoft is the latest company to announce a large language model (LLM) enabled cybersecurity helper. At Black Hat USA in August, security professionals at Google Cloud will discuss how the company is using LLMs to analyze threats within its Mandiant incident response group. And in May, CrowdStrike launched its own generative AI assistant, dubbed Charlotte, to help companies learn by asking questions of the cybersecurity service.

Using generative AI for cyber threat intelligence and incident response will allow more IT and security professionals to hunt for threats and participate in the response to attacks, says Jamie Zajac, vice president of product at Recorded Future, which launched its own LLM-based service in April.

These systems make "even more advanced threat intelligence capability available to more companies," she says. "If you're an IT analyst or ... a Tier 2 SOC analyst, or you don't have a lot of time to do [an analysis], it's now becoming easier to apply intelligence into your workflows. I can make better decisions, and I can make them faster, and I can also enhance my capabilities that I didn't have time to develop robustly."

For its part, Microsoft estimates that incident response and threat intelligence analyses that typically take hours will now take minutes. In addition, collaboration through those promptbooks in Security Copilot — similar to Python scripts collected in Jupyter Notebooks — will allow common tasks to be standardized. Microsoft is hopeful that promptbooks will help novice security analysts do their jobs, but also allow more experienced analysts to spend more time on higher-value work.

"This is a series of pre-engineered prompts that could be provided by Microsoft or written and provided by your own peers for use within your organization that says, 'Hey, when we have malware, this is the set of analyses we want to do,'" Kawaguchi says. "All of this is to help try to simplify things for the incident responder."