What is Copilot for Security

Copilot for Security is an advanced AI-driven tool designed to enhance an organization’s cybersecurity posture. By leveraging the power of artificial intelligence, Copilot for Security assists in identifying, analyzing, and mitigating potential security threats in real-time. Out of the box, it looks across Microsoft 365, Azure, and Defender data to then allow support staff, administrators, and analysts the ability to ask questions and take action all by using a conversational interface to ask questions and dictate actions. Copilot for Security can help in:

1. Threat Detection and Response
2. Incident Management:
3. Vulnerability Management:
4. User Behavior Analytics:
5. Compliance and Governance

By leveraging Copilot for Security in Organizations, there are opportunities to help:

• Enhanced Security Posture: By integrating Copilot for Security, organizations can significantly improve their ability to detect and respond to threats, reducing the risk of data breaches and cyber-attacks.
• Operational Efficiency: Automating routine security tasks allows security teams to focus on more strategic initiatives, improving overall efficiency.
• Informed Decision-Making: Access to real-time data and comprehensive reports enables better decision-making and strategic planning.
• Scalability: Copilot for Security can scale with the organization, adapting to changing security needs and growing alongside the business.

By incorporating Copilot for Security, organizations can create a robust, proactive security environment that not only protects their assets but also supports their long-term growth and resilience.

Steps to Deploy

To deploy Copilot for Security you must go through the following three steps:

Step 1: Meet Minimum Requirements

1. Azure Subscription:
   • Ensure you have an active Azure subscription. If you don't have one, you can create a free account on the Azure website.
2. Security Compute Units (SCUs):
   • Determine the number of SCUs you need based on your organization's requirements. SCUs are essential for the performance and scalability of Copilot for Security. For more information, see Microsoft Copilot for Security pricing.

Step 2: Provision Capacity

You have two options to provision capacity:

Option 1: Provision Capacity within Copilot for Security (Recommended)

1. Access the Copilot for Security Portal:
   • Log in to the Copilot for Security portal using your Azure credentials.
2. Navigate to Capacity Management:
   • Go to the "Capacity Management" section.
3. Select Provision Capacity:
   • Click on "Provision Capacity" and choose the number of SCUs you need. For initial exploration, starting with 3 SCUs is recommended.
4. Confirm and Allocate:
   • Confirm your selection and allocate the SCUs to your environment.

Option 2: Provision Capacity through Azure

1. Access Azure Portal:
   • Log in to the Azure portal.
2. Navigate to Resource Management:
   • Go to the "Resource Management" section.
3. Create a New Resource:
   • Click on "Create a Resource" and search for "Copilot for Security".
4. Configure SCUs:
   • Configure the number of SCUs you need and complete the setup process.
5. Assign SCUs to Copilot for Security:
   • Once provisioned, assign the SCUs to your Copilot for Security environment.

Step 3: Set Up Default Environment

1. Access the Copilot for Security Portal:
   • Log in to the Copilot for Security portal.
2. Navigate to Environment Setup:
   • Go to the "Environment Setup" section.
3. Create Default Environment:
   • Click on "Create Default Environment".
4. Configure Environment Settings:
   • Name Your Environment: Give your environment a meaningful name.
   • Select Region: Choose the appropriate region for your environment to optimize performance and compliance.
   • Assign SCUs: Allocate the SCUs you provisioned earlier to this environment.
5. Set Up Security Policies:
   • Authentication and Authorization: Configure authentication and authorization settings based on your organization's security policies.
   • Access Controls: Set up role-based access controls (RBAC) to ensure that only authorized users have access to sensitive data and functionalities.
6. Review and Confirm:
   • Review all the settings and configurations. Once satisfied, click "Confirm" to finalize the setup.
7. Initialize Environment:
   • The system will initialize your environment. This may take a few minutes. Once completed, you will receive a notification.

How to Best Test

Copilot for Security works from a consumption-based model that relies on SCUs. An SCU, or security compute unit, is a measure of the amount of data processed by Copilot for Security. SCUs are used to determine the pricing and scaling of Copilot for Security services.

Each SCU currently costs $4/hour which means that if you run a single SCU for 2 hours, it will cost $8, full day is $96, etc. The SCUs do not automatically scale up and down and for testing, if is often recommended to only turn on what you need for when you need it.

Spyglass recommends that to help limit costs:

• Create a single SCU
  • Be aware that a single SCU will only allow for a few operations before you reach the limit for the hour.
  • If you are going to be doing significant testing and/or multiple user testing, then it is advised that you initially deploy more SCUs to account for it with the understanding that each one if $4/hour.
• Perform your testing and monitor your usage.
  • Some of the testing will be looking at summary pages that Copilot for Security provides in a side panel when you navigate to other portals even when you do not perform a specific prompt. Examples are when you use Copilot for Azure.
• Scale up and down as necessary based on the testing with the SCUs.
• At end of testing day, delete the SCU
• When testing begins the next day, spin one up with the same name.
  • You could have an issue if you delete and then try recreating immediately. If this is the case, create the SCU with a different name.

The good news with this method is that your prompts and promptbooks will remain based on retention policies with Microsoft.

As you start to test Copilot for Security functionality, it is important to monitor for deployments of Microsoft.SecurityCopilot/Capacities resources to ensure they are not left running when not needed or deployed and forgotten about.

Once you determine what usage will look like on an ongoing basis, you want to make sure you set up scaling to increase the SCUs in the morning and then scale them back overnight. If the increase and decrease in consumption is predictable, then there are opportunities to automate this process.

Conclusion

Copilot for Security can provide tremendous assistance with security analysts and administrators who know how to use it. To get to a point where it can be deployed in a manner where it will be leveraged appropriately, Spyglass recommends:

• Getting an initial pilot going as outlined in the blog.
• Scale up and down as necessary.
• Train users on specific user cases.
• Create necessary promptbooks to add automation for repeated tasks.

The possibilities are endless if you take the time to do it right and really train people on how to use the product. If you need any assistance, do not hesitate to reach out and contact Spyglass MTG.

Resources

For more detailed information, you can refer to the Get started with Microsoft Copilot for Security guide.

1. Get started with Microsoft Copilot for Security
2. Apply principles of Zero Trust to Microsoft Copilot for Microsoft 365
3. Before Doing Anything, Strengthen Your Security Posture
4. Strategic Guide for Implementing & Securing Microsoft 365 Copilot
5. Learn how to customize and optimize Copilot for Security with the ...