The use of automated detection and response systems can help tip the scale in favour of defenders by using risk-based algorithms and anomalous activity detection to flag events that require human expertise to investigate further. This helps security analysts detect patterns and behaviours that are not obvious to the human eye, with more precision and speed than human defenders alone.

The background to “cognitive cyber”

As advances in dynamic and adaptive cyber defence systems become reality, what do organisations need to do to become ready for cognitive cyber, and what exactly is it?

Cognition refers to the mental processes involved in gaining knowledge and comprehension. Cognitive cyber attempts to simulate that process with the application of self-learning algorithms, natural language processing, and big-data mining techniques as applied to the cybersecurity domain. It uses cognitive system overlays to traditional artificial intelligence (AI)/machine learning (ML) models to achieve something greater than the sum of the parts. 

To recap:

• Classic/traditional AI and ML​ detects and classifies, and can work on vast amounts of data for use in real-time applications and automation of capabilities. ​Traditional AI is strong when it comes to looking at a large field of data and finding patterns or continuations (like making recommendations).
• Generative AI (GAI), often powered by generative pre-trained transformers (GPT), effectively understands and creates content. It works on relatively small chunks of data – text, images, sounds, videos. Large language models (LLMs) are a kind of GAI that work on text.​ LLMs are good at understanding language, summarising, and translating concepts, for example from language to code or vice-versa. ​

Clearly, linking these models makes for a much more powerful narrative. And, by using the compute power, scalability, and richness of the cloud, we can build entire systems of intelligence that can reason over vast amounts of information – structured and unstructured.​

Our name for this intelligence-based cognitive capability? Microsoft Copilots. These are experiences that use generative AI to help humans with complex cognitive tasks.

Introducing Microsoft Security Copilot

Built specifically to augment human security expertise, Microsoft Security Copilot is a combination of the most advanced GPT4 model from OpenAI, with a Microsoft expert-driven, security-specific LLM model.

Most LLMs are trained on corpuses of written human language. Security Copilot is trained on security logs, attack telemetry and threat intelligence, the outcome of which is the first AI/ML model trained specifically for security.

But the capability is much more than just the large language model. Built into the product are specific cyber skills and promptbooks informed by our global threat intelligence, which runs on Azure’s hyperscale infrastructure. This means that the models inherit Microsoft’s comprehensive approach to security, compliance, and privacy. When it comes to the data Copilot is reasoning across, your data remains your data.

Security Copilot democratises defender skills by allowing natural language for querying rather than having to learn complex querying languages like Kusto Query Language (KQL). This lowers the barrier to entry for new analysts, which helps address the cybersecurity skills shortage. We’ve launched an Early Access program for qualified candidates to explore the capabilities of Security Copilot. Reach out to your sales representative to get more details.

Use cases for Microsoft Security Copilot

Human ingenuity and expertise will always be an irreplaceable component of defence, so we need technology that can augment these unique capabilities to improve the analyst experience all-up. For this reason, initially we are focusing on security operations centre (SOC) use cases.

The three primary use cases are security posture management, incident response, and security reporting.​

• Security posture management: Security Copilot delivers information on anything that might expose an organisation to a known threat. It then gives prescriptive guidance on how to protect against those potential vulnerabilities.​ A query such as: ‘How can I improve my security posture?’ will return evidence-based recommendations.

• Incident response: Security Copilot can quickly surface an incident, enrich it with context from other data sources, assess its scale and impact, and provide information on what the source might be. Again, it will support the analyst through the response and remediation steps with guided recommendations.

• Security reporting: Security Copilot can deliver customisable reports that are ready to share and easy to consume to keep managers and other stakeholders in the loop. What this means tactically is you can ask Security Copilot in natural language: ‘Summarise this incident in a single PowerPoint slide’, and it will do just that.

Preparing for cognitive cyber defence: 3 steps

In the future, our vision with Security Copilot is to support use cases across security, identity, management, compliance and more, leveraging skillsets across Microsoft and third-party products. In the meantime, and whilst Security Copilot is not yet publicly available, there are things organisations can do to prepare for these cognitive cyber defence capabilities:

Step 1: Secure your identities, especially privileged identities, and SOC members. Attackers will frequently target these individuals to gain access to critical information and systems to elevate the impact of a successful compromise.

Step 2: The age of AI is also referred to as the age of platforms. Integrating your security signals into an observability platform brings huge security gains in terms of visibility and automation. 

Step 3: Initially, Security Copilot is integrated with Microsoft Defender for Endpoint, and for an even better experience, deploy Microsoft Sentinel and Intune. Going forward, Security Copilot will integrate with third-party products.  

Finally, prepare for the risks. As with any new technology, there are both risks and rewards. To help organisations navigate the risk/reward balance, we’ve released guidance, frameworks, and tooling. 

More information, including links to the risk assessment framework, the Counterfit tool and the Adversarial Threat Matrix (MITRE ATLAS) can be found in our Security blog post Best practices for AI security risk management. 

For information on our commitment to build trustworthy and responsible AI, please read Responsible and trusted AI and Building AI responsibly from research to practice.

Cognitive and AIML technologies are here to stay. While they have the power to bring immense potential for improving our defenders’ experience, securing our organisations, and protecting society, we must also be mindful of potential vulnerabilities on an equally large scale and defend against that risk.

Find out more

Introducing Microsoft Security Copilot

Microsoft Security Copilot Early Access Program

News Center: Microsoft brings the power of AI to cyberdefense

Microsoft Security Copilot: Empowering defenders at the speed of AI

About the author

Previously lead investigator for Microsoft’s detection and response team (DART), Lesley Kipling has spent more than 17 years responding to our customers’ largest and most impactful cybersecurity incidents. As Chief Cybersecurity Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning. She holds a Master of Science in Forensic Computing from Cranfield University in the United Kingdom.

The post Cyber defence in the age of AI appeared first on Microsoft Industry Blogs - United Kingdom.

The evolving threat landscape has highlighted how attackers are refining their tactics and techniques. It also shows just how far they’re willing to go to disrupt organisations with cyberattacks.

Let’s take the example of human-operated ransomware, and the deliberate targeting of critical infrastructure. This is designed to cause as much financial, operational and societal impact as possible. Additionally, this is often compounded by the pressure from consumers, media and government – and one where core supply chains are cut off or severely disrupted. While the motivation of the cyberattack varies, there is a rise of recklessness. Attackers go beyond disruption into destruction as they learn how to combat and evade security defences. This puts business leaders in a position where they feel they have limited options. With the response likely to play out in the public domain, they often feel like they must pay the extortion demands either to restore services or prevent further disruption.

Enterprise resilience is needed to recover from human-operated cyberattacks. This goes beyond just cyber resilience. It requires a multi-faceted business, technology and operational response to recover services as quickly and effectively as possible across all domains. Resilience is the ability of the business to recover from failures and continue to function, in adverse conditions. It’s not about avoiding failures. It’s about taking proactive action to detect and respond to failures in a way that reduces downtime or data loss.

In the Microsoft Societal Resilience research program, we define resilience as the capacity to anticipate, absorb, and adapt to disruption. As Dr Peter Lee, Microsoft CVP of Research and innovations, says: “If we don’t acknowledge our risks, we can’t anticipate and prepare for them”. This is especially true in today’s world of radical innovation, where the threat actors often move faster than organisations do.

Planning for enterprise resilience against cyberattacks

Business continuity and information protection are absolute requirements for every business. But it can often entail cost, complexity, compliance, and resource to maintain. Using a cloud-based strategy helps to mitigate many of these issues. Building reliable and secure systems in the cloud is a shared responsibility. The reliability ‘of ‘the cloud is the responsibility of the cloud service provider. The reliability ‘in’ the cloud is the responsibility of the organisation. However, according to the National Cyber Security Centre, only three in 10 businesses have business continuity plans that cover cybersecurity.

How to build a secure cloud strategy

Those new to cloud should begin with Azure’s Cloud Adoption Framework, to determine business drivers and strategy. The Microsoft Azure Well-Architected Framework is a set of guiding tenants that architects, developers and solution owners can use to build and optimise reliable, secure and resilient services in the cloud.

Design for reliability and security

Designing for reliability requires an assume failure mindset. Designing for security requires an assume compromise mindset.

Cybersecurity is hard to mitigate for. Adversaries are working to counteract the business continuity strategy by actively adapting and navigating the controls that the business has implemented. If a plan is too rigid and does not anticipate change, it can often fail as the business is not able to react and pivot quickly enough to the ferocity of change or cyberattacks.

Machine learning and AI can take the pressure off IT or security teams with real-time threat detection and automation. This allows them to focus on higher value tasks, such as designing resilient workloads.

Choose the right workload

Designing workloads that are resistant to both natural disasters and malicious human intervention such as cyberattacks requires a thoughtful combination of high availability, disaster recovery and backup solutions. Across the whole environment, you need to consider how likely the primary control is to fail and the potential organisational risk if it does. Additionally, you need to counteract any of these with mitigating factors.

• High availability (HA): The ability of the application or service to continue running in a healthy state, without significant downtime.
• Disaster recovery (DR): The ability to recover from rare but wide-scale failures. For example, service disruption that affects an entire region.
• Data backup: A critical part of resiliency, distinct from storage redundancy solutions.

You can specifically address HA and DR needs with storage redundancy solutions that simultaneously replicate data and services to an alternative location. However, a secondary location can be impacted at the same time a near-real-time attack encrypts data in a primary location. This results in data loss or corruption.

When designing a backup solution for business-critical data in the cloud consider a tertiary, immutable backup (write-once-read-many). This is both physically and logically held away from any primary and secondary backups. As a result, there is another layer of protection against data loss, corruption, or malicious encryption. This is a good option for highly sensitive and regulated entities who are required to legally hold data. Azure Backup provides security features to help protect backup data even after deletion; one such feature is soft delete. If a backup is accidentally or maliciously deleted, soft delete retains it for an extra 14 days. Remember, regularly validate and test backup and restore procedures.

Protect privileged identities against cyberattacks

Often one of the most overlooked part of resilience is protecting the identities that have access to backups. As a result, compromised accounts can be used maliciously to encrypt or delete backups. Even in the example of soft delete, a compromised account with the appropriate rights can disable the feature before deleting backups.

Attackers deliberately target these resources because it impacts the ability to recover. Mitigate this by granting accounts the minimum privilege required to accomplish their assigned tasks. Limit the number of accounts with access to backups (but with a break-glass account included). Protect these with multi-factor authentication (MFA), which stops 99.9% of account compromise attacks. You should also consider just-in-time and just-enough access using dedicated privileged access workstations (PAWS). Log and monitor all changes for verification and compliance.

Validate your response to cyberattacks

To truly know if your strategy can hold up against cyberattacks, you need to successfully measure reliability and security to and understand the resilience of that system. This means testing end-to-end workloads against a range of severe but plausible scenarios.

Chaos engineering is the practice of subjecting cloud applications and services to real world failures and dependency disruptions to build, measure and improve resilience. Fault injection is the deliberate introduction of a failure into a system to validate robustness and error handling.

We use fault injection at Microsoft to induce a major failure or disaster and validate both the recovery and incident management processes. We place strict access controls around this capability to prevent accidents or malicious attacker abuse to safeguard and limit the impact of the testing. This enables the business and IT to consider and prepare for a range of scenarios that determine the robustness and design of the overall solution in a safe environment. It also increases the resilience and confidence in Azure and our services.

Microsoft Ignite 2021 provided a first look at Azure Chaos Studio which is our upcoming native chaos engineering and fault injection service. This will help organisations to measure, understand, and improve the resilience of their Azure applications.

Anticipate and adapt

Organisations require a level of preparedness that anticipates and adapts to a range of scenarios, whether accidental or malicious. The strategy needs to be flexible to adapt to the evolving threat landscape and be capable of delivering effective and scalable enterprise-wide recovery.

The good news is that cloud architectures can help improve enterprise resilience goals whilst enabling effective business continuity.

Find out more

Learn more about backup and disaster recovery

Human-operated ransomware attacks: A preventable disaster

Rapidly protect against ransomware and extortion

Resources to empower your development team

Cybersecurity best practices to implement highly secured devices

Introduction to cybersecurity learning path 

Data discovery, classification and protection learning path

About the authors

Sarah Armstrong-Smith is Chief Security Advisor in Microsoft’s Cybersecurity Solutions Area. She principally works with  strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.

Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity landscape, and how this can be proactively enabled to deliver effective operational resilience.

Sarah is recognised as one of the most influential women in UK Tech and UK cybersecurity. She regularly contributes to thought leadership and industry publications.

Previously lead investigator for Microsoft’s detection and response team (DART), Lesley Kipling has spent more than 17 years responding to our customers’ largest and most impactful cybersecurity incidents. As Chief Cybersecurity Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning. She holds a Master of Science in Forensic Computing from Cranfield University in the United Kingdom.

The post How to future-proof and secure your organisation against cyberattacks appeared first on Microsoft Industry Blogs - United Kingdom.