Microsoft Copilot for Security - Keep Endpoints More Secure

April 1, 2024 | 4 min read

Micah Heaton

Executive Director, Managed Security Center of Excellence

Micah Heaton Square Calcite Duotone

In this blog series we’re exploring how AI and Microsoft Copilot for Security can assist various security teams do more - faster.

Endpoint management is an ever-growing concern. Microsoft’s Digital Defense Report for 2023 stated that 80% of compromises originated from unmanaged devices. It also noted that if employees practiced basic cyber hygiene, it would halt 99% of common threats. For example, here are some interesting statistics from the report on how employees under 40 years old ignore basic best practices:

  • 38% of office workers use the same passwords on multiple devices
  • 34% of younger office workers shared work device(s) with family or friends
  • 34% of office workers under 40 use a birthdate in their password

Endpoints represent the most significant attack surface for many businesses and require the most resources to defend. Most organizations are using an EDR solution like Defender for Endpoint. Many have combined EDR with an SIEM, such as Microsoft Sentinel, for better threat correlation and automated remediation.

Strengthen Endpoint Defenses and Respond to Corner Cases

Although an EDR solution can manage most endpoint security challenges, security analysts occasionally learn about a security event impacting their industry or a new attack vector that can circumvent or weaken their endpoint defenses. Copilot for Security can perform one-off, or custom, security tasks to help inspect for a possible vulnerability or help an analyst decide the course of action. Some of them include:

  • Dynamic Risk Scoring: Use a wider variety of data beyond the scope of a traditional EDR solution. Use contextual data, recent events, and infrastructure to inspect endpoints and assign risk scores.
  • Custom Automated Response: Initiate custom automated response actions to perform specific tasks with one or a group of endpoints.
  • Unique Threat Intelligence Integration: Integrate different threat intelligence feeds with other data sources to identify new known indicators of compromise (IOCs) and proactively protect endpoints against emerging threats.
  • Predictive Analytics: Conduct forensics or analyze historical and other data to predict future threats or discover an existing vulnerability.
  • User Behavior Analytics: Track and flag suspicious user behavior activities that would not be detected using an existing EDR solution.
  • Take Unique Action: Design, test, and execute a special process to find and contain a unique threat.

By leveraging Copilot for Security, endpoint management teams have an important tool for inspecting their defenses for issues outside their existing EDR solution.

Streamline Endpoint Patch Management

Identifying, prioritizing, and applying patches to endpoints can be challenging. Copilot for Security can make the process simpler and more thorough. Some ways they can help include:

  • Data Collection and Gap Analysis: Analyze data to identify missing patches and prioritize them based on severity, exploitability, and impact.
  • Predict and Prioritize: Predict which patches are most critical using historical data, current threat intelligence, and the organization's specific risk profile. Consider factors such as exploit availability, targeted vulnerabilities, and system criticality to prioritize patch deployment effectively.
  • User Feedback and Monitoring: Collect end-user feedback and monitor endpoint performance and stability after patch deployment. Use a feedback loop to incorporate lessons learned from patching incidents and improve the accuracy and efficiency of patch management.
  • Threat Intelligence Integration: Correlate and compare threat intelligence feeds with a patch management system to prioritize patches. Identify emerging threats that require immediate patching.

By leveraging Copilot for Security to support EDR patch management, organizations can streamline the process of identifying and applying patches, reduce the window of exposure to vulnerabilities, and enhance the overall endpoint security posture.

Identify Missing Security Checks

There are dozens of potential vulnerabilities that need to be identified, tracked, and remediated to ensure endpoints remain secure. Copilot for Security can analyze data from EDR tools and identify gaps or inconsistencies in the cybersecurity posture. Here's some examples:

  • Data Collection: Consolidate data from a wide range of endpoint security tools such as antivirus, EDR, firewall logs, intrusion detection systems, and even vulnerability scanners.
  • Feature Validation: Gather data and compare what the EDR solution should be managing and doing to what is happening in the real-world such as misconfigured settings, outdated patches, unauthorized apps.
  • Baseline Establishment: Establish normal endpoint behavior by analyzing historical data and identifying typical security checks performed and the results.
  • Contextual Analysis: Incorporate contextual information such as threat intelligence feeds, system dependencies, and business priorities to broaden cybersecurity checks.
  • Continuous Improvement: Establish a feedback loop incorporating insights from missed cybersecurity checks into the organization's security processes and procedures to strengthen future defense mechanisms.

Organizations can leverage Copilot for Security to identify missed endpoint cybersecurity checks. They can proactively address security gaps, reduce the risk of cyber threats, and improve the overall effectiveness of their security operations.

BlueVoyant is an early adopter of Microsoft Security for Copilot and a member of the Microsoft Design Advisory Council for Copilot for Security. Our commitment to our clients is to continually provide guidance on how and where to optimize security operations with Microsoft, including Copilot for Security.

Please stay tuned for more blogs on how different security teams can benefit from Microsoft Copilot for Security.