|
|
 Nick Goodman presented for Microsoft Security at Security Field Day 13 |
Follow on Twitter using the following hashtags or usernames: #XFD13
Microsoft Security Introducing Security Copilot Agents
Watch on YouTube
Watch on Vimeo
This session explores the evolution and capabilities of Microsoft Security Copilot, focusing on how it’s transforming security operations. Microsoft Security Copilot has evolved to incorporate AI agents, offering a fundamentally different approach to security tasks compared to traditional automation. These agents dynamically plan, reason, and execute tasks, adapting their approach as new information emerges, much like human analysts. This capability has already shown significant benefits, with security teams using Security Copilot reporting incident response times that are approximately 30% faster. The platform is designed to be an ecosystem, with 13 active agents, including six developed by Microsoft and seven by partners, demonstrating a commitment to partner integration and extending AI capabilities across the Microsoft Security Suite.
One notable Microsoft-developed agent is the phishing triage agent, designed to address the overwhelming volume of user-reported phishing incidents. This agent autonomously triages these submissions, analyzing email content, threat intelligence data, and links to determine if an email is genuinely malicious or benign. This frees up human analysts from mundane tasks, allowing them to focus on true threats. The agent learns from human feedback, enabling it to adapt to specific business contexts and improve its accuracy over time. This active learning mechanism, where administrators can provide feedback to the agent, ensures that the AI’s reasoning process is continuously refined, addressing scenarios where the AI might initially misclassify an email due to a lack of organizational-specific knowledge.
Beyond phishing triage, Microsoft Security Copilot includes agents for data loss prevention and insider risk management, which leverage generative AI to classify documents and assist privacy analysts in reviewing alerts. The Conditional Access Agent helps organizations maintain up-to-date security policies by constantly reviewing and suggesting adjustments to conditional access policies, significantly reducing the risk window caused by policy drift. The vulnerability intelligence agent automates the process of reading vulnerability reports, assessing device estates (specifically Windows endpoints), and recommending patching groups in Intune. Lastly, the threat intelligence briefing agent provides organizations with customized reports on cyber threats and vulnerabilities relevant to their specific profile, empowering analysts and organizations that may lack dedicated threat intelligence teams. These agents are designed to integrate seamlessly into existing workflows, enhancing efficiency and enabling security teams to focus on higher-value activities.
Personnel: Nick Goodman
Microsoft Security Copilot Conditional Access Optimization Agent
Watch on YouTube
Watch on Vimeo
This session explores the evolution and capabilities of Microsoft Security Copilot, focusing on how it’s transforming security operations. Microsoft Security Copilot operates as a unified platform, providing a consistent user experience across its various agents and underlying products. Key features like transparent decision trees, identity and RBAC management, and human-in-the-loop design principles are common across all agents, ensuring that users retain control and can audit AI-driven actions. The Conditional Access Agent, for instance, autonomously scans policies and recommends changes to ensure they align with the current state of the business, enabling rapid updates to security posture and reducing the risk window from months to minutes or hours.
The system incorporates robust guardrails, allowing organizations to control agent operations, particularly concerning new users and applications, and to apply custom natural language instructions to tailor agent behavior. This ensures that AI-generated policy recommendations are balanced with human oversight and business context. Users can also provide feedback to the agents, which directly influences their future reasoning and decision-making, akin to training a new human employee. This continuous learning mechanism is crucial for the AI to adapt to an organization’s specific nuances and improve its effectiveness over time.
While agents are designed to handle resource-intensive tasks like triaging user-submitted phishing emails, the generative AI component is not intended for real-time, high-volume inline processing due to its computational demands. Instead, Microsoft focuses on applying AI where it can most significantly augment human efforts, such as automating time-consuming and low-value tasks. The platform aims to provide clear metrics like resolution rates and time to triage, allowing organizations to assess the economic value of deploying these agents. Furthermore, Microsoft is committed to expanding integrations with third-party data sources and partners, empowering agents to leverage a broader ecosystem of security tools and data, and ultimately enabling customers to build more comprehensive and adaptive security workflows.
Personnel: Nick Goodman