Get in Touch
Published: 7th April 2023 | In: Insights, News
At its inaugural Secure event on 28th March, Microsoft announced a host of new security features to help organisations everywhere better protect their assets, data and customers. One of these is Security Copilot, which our technology partner described as providing “end-to-end defence at machine speed and scale”.
So what’s new from Microsoft and how will their technology help you? We asked our Solution Directors what stood out for them.
Microsoft Security Copilot has got a lot of people talking. It’s a new AI-powered feature that promises to help security teams simplify their work and focus on the threats that matter to them, saving time and, hopefully, a huge amount of effort along the way.
For our identity security expert, Solutions Director Ricky Simpson, who spent 10 years working for Microsoft, there are several gems that will certainly help security teams thoroughly investigate threats more efficiently than ever before and also enable them to add relevant evidence in their reports. His favourite features are:
- A prompt bar at the centre of Security Copilot enables security teams to ask natural language questions about the security of data in the organisation. For example, they could enter:
- “What are the open incidents in my organisation right now?”
- “Give me a summary on this particular vulnerability”
- The prompt bar can also be provided with files, URLs or code snippets for analysis, so security teams could ask “Does the following JSON file have any malicious activity related to this incident in Sentinel” – where the blue text could be a link to an active incident
- Information provided to Copilot will stay in your organisation, and an immutable audit trail ensures that any data being entered into Copilot and any data being generated as a result, is kept for potential investigations.
- Responses are provided using external sources of information but also combined with nuance gained from data held within your organisation too. External sources are always referenced for transparency and verification purposes.
- Responses worth keeping for the wider team can be pinned to the investigation Pinboard, and these can be shared and collaborated on with others in your team.
- Prompts that are used repeatedly in different investigations can be grouped into a Promptbook. This can reflect a set of steps or automations that would benefit an investigation, ensure consistency throughout the investigation process, and build on the success of others in your team.
Our Data Security Solution Director Graham Hosking, who also previously worked for Microsoft for six years, picked out these highlights from the event:
- Context-based classification
- An administrator can auto-label files – document name, size and type, creator or default site label for OneDrive and SharePoint sites
- Optical character recognition (OCR)
- Endpoint data loss prevention (DLP) and insider risk management, as well as additional workloads. OCR enables text extraction from image files or images embedded in PDFs and screenshots, so that those files can be auto-labelled and also protected. OCR, which supports over 150 different languages, is available for Exchange emails, files in SharePoint, OneDrive, Teams, as well as Windows endpoints.
- Proactive protection
- On your endpoint devices, where every document, irrespective of when it was created or modified, or the content it contains, is scanned before relevant restrictions are applied. Candidate policy blocks all egress activities on monitored files that have not yet been evaluated or deemed sensitive.
- DLP for virtualised environments:
- Protect sensitive files, accessed through virtualised environments, like Windows Virtual Desktop, Citrix, and more
- DLP for sensitive files stored on network shares
- Adaptive Protection
- Adaptive Protection combines the content-centric controls from DLP with the people-centric context from insider risk management to help balance data protection, and productivity.
Our compliance expert, Principal Consultant Tim Harrison, was encouraged by the “quiet nod to the Copilot for Purview “, which he’s very keen to see more of. He picked out these key features:
- Copilot for forensics: this could be controversial as it captures the screen activity of a user during suspected ‘bad behaviour’; this might be very powerful, or in breach of corporate code of practice – or both!
- The overall Copilot demo was impressive. It’s able to crunch an entire security incident into one- or two-page exec summaries – including flowcharts – within moments; a human may take some hours to do the same. It is also able to do some reverse-engineering to show how malware was able to infect a host, including lateral attacks. This has massive potential for incident analysis and containment.
- Defender for Teams essentially prevents malware and bad actors from using Teams as a way of infecting a corporate machine, instead of using email and phishing links. It uses the same detection ‘engine’ and gives the same level of protection, including reporting of events to the Security Operations Centre (SOC).
- OCR is (finally!) available to scan an image to detect sensitive data ‘within a picture’, i.e. someone has taken a photo of a sensitive document, and tries to exfiltrate the photo rather than the actual document. This has been historically difficult, but with some clever AI assistance, should finally close this security gap.
- Token protection: This is going to be critical in defence of lateral attacks, as it will stop bad actors from ‘stealing’ tokens and using them to jump from one system to another; much as has been seen in cyber incidents during March this year; a number of high-profile YouTube channels have been breached using token-based attacks. This new service is able to immediately revoke tokens when conditional access policies are breached, and the new dashboard shows where there are gap and unprotected users or apps across your environment.
- Purview Adaptive Protection:This uses machine learning within Purview to dynamically change how much access or ability a user has if they have been identified as ‘high risk’; this means that if Purview has observed, for example, a future leaver beginning to act suspiciously and is collecting sensitive data then Purview can automatically disable ‘USB storage’, ’email externally’, ‘printing remotely’ to dynamically prevent a breach from occurring. This has the potential to be a game-changer in the Purview world of data protection.
In addition, Microsoft Intune, which was launched on 1 March, but was mentioned again at Secure is designed to unify “a series of mission-critical endpoint management solutions”. Our team likes the way Intune incorporates security signals into endpoint management, simplifies everything for security analysts and employs much more automation to save time and reduce costs.
We also liked the new dashboard security feature of Microsoft Entra, a family of multi-cloud identity and access products. which Microsoft made available in mid-2022. The overview dashboard in Conditional Access shows all the key data for an organisation’s policy posture and unprotected users and apps. It provides insights and recommendations based on individuals’ sign-in activity, and helps show what impact specific policies have on the organisation’s security.
Stay tuned for more security launches and insights from Microsoft
As a Microsoft Solutions Partner for Security and a member of the Microsoft Intelligent Security Association (MISA), we have a full-time Microsoft Alliance Manager. So we keep in regular contact with our sole technology partner and attend many of their key events, either in person or virtually. We’ll continue to keep a close eye on developments in all these areas and on anything else that Microsoft unveils in the coming months and will share our views and updates on the Insights page of our website.