Blog Series: Charting Your Path to Cyber Resiliency

"Cyber resilience is more than just a buzzword in the security industry; it is an essential approach to safeguarding digital assets in an era where cyber threats are not a matter of ‘if’ but ‘when’." 

Cyber resiliency describes an organization’s ability to anticipate, withstand, respond and recover from adverse conditions caused by cyberattacks. Destructive cyberattacks such as ransomware can be highly impactful to business operations and profitability. With its emphasis on protecting our companies’ most critical business functions, cyber resiliency enhances the reputation of the Cybersecurity function - it can even help us achieve that most elusive goal of demonstrating our value to the business.

In Part 1 and Part 2 of this series we examined the origins of cyber resiliency and Microsoft’s approach to helping our clients become more cyber resilient. As we learned in Part 1, Microsoft has identified 24 key issues that organizations should strategically target to enhance their cyber resilience.

These key issues are grouped into the following categories:

• Low maturity security operations
• Insecure configuration of identity provider
• Insufficient privilege access and lateral movement controls
• No Multi-factor Authentication
• Lack of information protection control
• Limited adoption of modern security frameworks

Let’s look at how Security Copilot can help, starting with the issue of Low maturity security operations.

Security Operations

Since its official release in April 2024, we’ve seen many Microsoft clients benefit from Security Copilot’s capabilities to address cyber resiliency issues in the category of Low maturity SOC Operations. For example, through its built-in integration with the Microsoft Defender XDR suite, Security Copilot features such as incident summaries, KQL Query Assistant and guided response can help with these components of the control:

• Skill gaps across security operations
• Limited use of endpoint detection and response
• Gaps in security monitoring and integration

Even customers choosing not to use the full Defender XDR suite also benefit from Copilot’s abilities to help them reverse engineer malware and generate scripts. And organizations with limited or no SIEM/SOAR capabilities can also take advantage of Security Copilot’s easy integration with Microsoft Sentinel to accelerate SIEM/SOAR adoption.

Security Copilot also assists with the issue of Ineffective SOC processes and operating model in 2 key ways: Reporting and Threat Intelligence.

Reporting

Security Copilot customers love the tool’s ability to quickly generate comprehensive incident reports geared to a variety of audiences, both technical and executive.

Microsoft Defender for Threat Intelligence Integration

Cyber Threat Intelligence (CTI) plays an important role in cyber resilience. NIST notes that an organization’s cyber resiliency decreases as the threat environment changes and new threat actors, techniques and vulnerabilities are introduced. Yet we often see customers not using threat intelligence effectively or worse, not using it at all. Within the M365 Portal, the embedded Security Copilot experience features incident summaries that are automatically enriched with threat intelligence from the full version of Microsoft Defender for Threat Intelligence.

In both the embedded and standalone experiences, Security Copilot enables SOC analysts to use natural language to learn more about the threats and threat actors affecting their company and industry, get information about specific IOCs, and perform vulnerability impact assessments. Not sure how to start using threat intelligence? That’s OK, Security Copilot’s got you covered with suggested prompts like these in the standalone portal:

Figure 1: Prompts to try

Keep in mind, though, that Security Copilot is not just for SOC Operations– in fact, one of the key mistakes we’ve seen customers make in Security Copilot proof-of-concepts has been in failing to involve Security teams outside the SOC. Simply put, if your organization is just using Security Copilot in the SOC, you’re significantly limiting its impact on your overall cyber resilience. So let’s look next at what else it can do through integrations with identity management, data protection, and cloud platforms.

Identity Management

According to the Verizon Data Breach Investigations Report (DBIR), most breaches start with stolen credentials. This is reflected in Microsoft’s cyber resilience guidance where 3 of the key issue categories are identity-based. Security Copilot aids with identifying gaps in Entra configuration, both in the Entra Admin center and the Security Copilot standalone experience. Core capabilities include:

• Troubleshooting a user’s sign-in failures
• Providing user account details and authentication methods
• Exploring audit log events for a particular user, group, or application
• Enumerating Entra ID roles and group memberships

In this case I’m troubleshooting a recent failed sign on attempt by a user. Security Copilot gives me the details of the sign-in and tells me in plain language the reason for the failure, along with the applicable conditional access policy, and the remediation steps to take:

Figure 2: Copilot identity management

Security and Identity pros whose organizations already use Microsoft’s Workload Identities feature can also take advantage of Security Copilot’s abilities to investigate risky Entra ID applications. Security Copilot’s reach even extends to protection of Active Directory on-premises through its integration with Microsoft's Unified Security Operations Platform, which can include Defender for Identity alerts, as well as Windows Security Events collected by Microsoft Sentinel.

Data Protection and Vulnerability Management

The cyber resilience category Lack of Information Control covers a diverse set of components, including ineffective data loss prevention controls and lack of patch and vulnerability management. Security Copilot integrations support various teams across the organization in areas such as:

Data Protection

Security Copilot has a powerful integration with Microsoft Purview Data Security Posture Management (DSPM), a centralized data security management tool that includes signals from Microsoft Purview Information Protection, Data Loss Prevention, and Insider Risk Management. Just some of the many goals of this integration are:

• Helping Security teams conduct deeper investigations into data security incidents
• Enabling DLP admins to better identify gaps in DLP policy coverage
• Identifying devices involved in data exfiltration activities
• Assisting with insider risk management investigations

Vulnerability Management

As SANS notes, “The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications.” Security Copilot works with Microsoft Defender External Attack Surface Management (Defender EASM) to help address this challenge.

Defender EASM helps identify public-facing assets such as domains and hosts to map your organization’s external attack surface, discover unknown issues, and minimize risk. Security Copilot’s integration with EASM helps teams identify public-facing assets with high-priority CVEs and CVSS scores and find issues like expired domains, expired SSL certificates and SHA1 certificates. If you’re not currently using Defender EASM, it offers a free 30-day trial. (In fact, many customers have been so impressed with EASM and its Security Copilot integration during their trials, they’ve gone ahead and made it a permanent part of their cyber resilience strategy).

Finally, note that both Purview DSPM and Defender EASM have multi-cloud capabilities. When used in combination with Security Copilot, they can greatly assist IT and Security teams with limited security experience in more than 1 cloud.

Cloud Platforms

Finally, in the cyber resilience category Limited adoption of modern security frameworks, Security Copilot helps address the issue of insecure design and configuration across cloud platforms via integrations with Azure Firewall and Azure WAF.

Security Copilot features include identifying malicious traffic, searching for a given IDPS signature across all Azure Firewalls in the environment, and generating recommendations to improve the overall security of your deployments. Security Copilot can also help analyze Azure Web Application Firewall (WAF) logs to provide context for:

• Most frequently triggered rules
• Malicious IP addresses identified
• Blocked SQL injection (SQLi) and Cross-site Scripting (XSS) requests

Microsoft Copilot for Security integration is available for both Azure WAF on both Azure Application Gateway and Azure WAF on Azure Front Door.

Conclusion

As we've seen throughout this series, Microsoft provides practical and tactical guidance to help our customers enhance their cyber resiliency to sophisticated and destructive cyberattacks that impact critical business operations. Security Copilot offers new capabilities to help build cyber resiliency in diverse and challenging areas such as:

• Vulnerability management
• Data security
• Multi-cloud management
• Security operations
• Identity protection

In Building Secure, Resilient Architectures for Cyber Mission Assurance, MITRE emphasizes that “game-changing technologies, techniques, and strategies can make transformational improvements in the resilience of our critical systems.” It's clear that Security Copilot is already one of those game-changers and, with the recent announcement of Security Copilot agents, charting your path to cyber resilience just got a lot more exciting.

Figure 3: Microsoft security ecosystem