Microsoft Copilot for Security is a powerful new artificial intelligence tool that can help companies home in on credible cybersecurity threats amid an onslaught of noise. However, significant expertise is required to configure and operate it properly and avoid unnecessary costs.
These are a few key takeaways from the webinar, "Getting Started with Microsoft Copilot for Security", presented by Dan Gravelle, Director of Global Solutions Architecture at Trustwave. In a little more than half an hour, Gravelle outlined the significant promise of Microsoft Copilot for Security, along with some practical advice on how to best deal with the usage-based pricing model.
Part of that equation may well mean getting professional help from a Microsoft security partner that has relevant expertise and offerings, such as the Trustwave Accelerator for Microsoft Copilot for Security, which provides a roadmap to follow for successful implementation and ongoing operation.
What is Microsoft Copilot for Security
AI is now mainstream in cybersecurity, Gravelle said, and with good reason.
"When used correctly, AI systems can be trained to enable automatic cyber threat detection, to generate alerts, and identify new strands of malware," Gravelle said. "With the help of AI we'll finally be able to discover and mitigate the thousands of cyber events that cause alert fatigue."
Any AI system is only as good as the data that feeds into it, and that's an area where Microsoft has an edge. "Microsoft has a vast array of data sources including Microsoft 365, Azure, Bing, Xbox, Outlook mail, and more," he said. "They add value through 65+ million daily signals."
All of these data sources integrate with Copilot for Security (which, by the way, is different from the more general-purpose AI engine Microsoft Copilot). So does the suite of Microsoft Security products that come with its E5 license, including Defender XDR, the Sentinel cloud-based security information and event management (SIEM) system, Entra ID, and third-party products like ServiceNow and Splunk.
Copilot for Security's Six-Step Process
In the webinar, Gravelle walked through how Copilot for Security follows a six-step process that would clearly take a hefty chunk of time to walk through manually. It involves crafting a prompt that can come directly from a user or an integrated system such as Defender XDR or Sentinel.
Then there's pre-processing, involving various data sources and an AI large language model (LLM). Next is post-processing the feedback from the LLM, which includes gathering data from relevant plug-ins for additional context and, finally, returning a response.
"By taking all of these steps, Copilot for Security is trying to orchestrate what would normally be a pretty clunky and disjointed manual [process]," Gravelle said. It also makes many decisions, informed by far more data than any human could process in the same amount of time.
Pricing Model Lends Importance to Proper Configuration
However, users will have to be mindful of their usage. Copilot for Security is priced using a provisioned capacity model based on hourly usage, or what Microsoft calls Security Compute Units (SCUs).
If you run up against your SCU limit, even in the middle of an investigation, you may find queries throttled. "You just have to wait till the next hour, and then you'll get reset in how much you can use," Gravelle said. "It's important to understand that."
The way users set up prompts has a lot to do with how quickly they will burn through SCUs, he noted, which gets to the importance of proper configuration and operation of Copilot for Security.
Trustwave can help in that regard. The Trustwave Accelerator for Microsoft Copilot for Security gives clients access to a team of Trustwave consultants with deep subject matter expertise in the whole suite of Microsoft Security products. In fact, Trustwave was one of the first Microsoft-certified Managed Security Service Providers (MSSPs) and holds a bevy of Microsoft credentials, including as a Verified MXDR Partner and Copilot for Security Partner.
This team can help assess your environment, as well as plan and analyze core security operations such as detection, triage, and response promptbooks – which are key to keeping usage under control. We can also help optimize the interoperability of Copilot for Security with other Microsoft Security products, identify potential use cases, and generally help increase the return on your Microsoft investment.
To learn more, check out the webinar "Getting Started with Microsoft Copilot for Security". While you're at it, check out the rest of the Trustwave webinar series, "Unlocking the Power of Microsoft Security".
