CISO essentials: How to

empower your defenders and

security operations with AI
CISO essentials: How to empower your 2
defenders and security operations with AI

Contents
01.
Manage identities
and access

07. 02.
Facing the Protect, detect
future and respond

Strengthening
apps
06.
AI 03.
Reduce alert
fatigue

05. 04.
Improve security Safeguard
management information

The digital estates of enterprises are global,
complex and ‘always on’. In a perfect world,
that’s great for business, but in our imperfect
one it means more exposure to cyberthreats.
As attacks increase in speed, complexity
and volume, CISOs are facing a shortage of
security talent to recognise risks and protect
users and data. Fortunately, advances in AI
are moving the needle in real, quantifiable
ways for security leaders and teams.
Read on to learn AI’s role in security
applications and follow the story of
a CISO and small team as they put AI
to work protecting their organisation
and optimising operations.
CISO essentials: How to empower your
defenders and security operations with AI
00.
How does AI enhance
cybersecurity?
Machine learning algorithms are trained on
large and varied data sets, from which they
develop usable, predictive models. Because
cyberthreats are varied and constantly
evolving, no single master algorithm or system
of rules can wholly drive enterprise security.
Instead, a comprehensive strategy utilises a
diverse, layered set of algorithms and expert
rules that have different training sets and
perform different processes.
3
Underpinning these algorithms is the
Microsoft Intelligent Security Graph, which
uses advanced analytics to collate massive
amounts of threat intelligence and security
data from over 6.5 trillion daily threat signals.
The signals in the Intelligent Security Graph
are shared across Microsoft solutions in real
time so that these applications can protect,
respond and remediate as necessary.
CISO essentials: How to empower your 4
defenders and security operations with AI

Microsoft Intelligent Security Graph

Unique insights, informed by trillions of signals

Outlook
5B
6.5 T OneDrive threats detected Shared threat data
on devices every from partners,
threat signals
month researchers and
analysed daily
law enforcement
worldwide
470 B
emails
analysed 200+
global cloud
Windows
consumer and
Botnet data
commercial
from Microsoft
Enterprise services
DigitalCrimes
security for Unit

90% Microsoft

of Fortune
Xbox Live 18 B+ accounts

500 Bing webpages

1 B+ scanned 630 B
Azure user monthly
accounts authentications

Bing
Azure
CISO essentials:
From one businessHow
owner
to empower
to another
your 5
defenders and security operations with AI

01.
Proactively manage
identities and access
CISO essentials: How to empower your 6
defenders and security operations with AI

Cloud-based AI acts as an important first line for identity and data protection, access
of defence, underpinning many of the tools we control and device management.
use today to set and maintain global policies

Identity and Access Management

Intelligent security capabilities reason over real time

signals to secure identities and reach zero trust.

User and Device Apps Real-

location time risk

Adaptive machine learning algorithms Analysis of real time signals is used

and heuristics are used to authenticate to determine when to allow access to
user sign on organisational data applications and network

Azure Active Directory Identity Protection Security logs are shared through the
uses adaptive machine learning to detect intelligent Security Graph to aid in security
anomalies that indicate potentially alert correlation and investigation across
compromised identities their entire threat landscape
CISO essentials: How to empower your
defenders and security operations with AI
For example, Azure Active Directory (AD)
Identity Protection uses adaptive machine
learning algorithms and heuristics to detect
anomalies and suspicious incidents that
indicate potentially compromised identities.
SecOps Log Conditional access protocols
6:30 AM catch ‘impossible travel’ risk
events
Lisa, a SecOps lead at a global freight
company based in Los Angeles, notices an
alert on her mobile about a suspicious access
control issue. Machine Intelligence has
detected that Sanjay, their port supervisor
in Asia, is apparently trying to sign in from
a location that appears suspicious, since he
accessed the network four hours earlier in
Kolkata as he normally does.
These two sign-ins originate from different
geographic locations within a window of
time too short to accommodate travel from
Intelligent technology helps your team provide
24/7 mitigation and remediation all over your
organisation’s digital estate. You can set the
7
And through Azure AD conditional access,
the AI can proactively reduce risk to your
environment when a risky behaviour or
sign-in attempt is detected.
one to another. This is a pretty good indicator
that a bad actor succeeded in logging on.
When a suspicious incident is detected, Azure
AD conditional access policies limit access
to applications or will require second-factor
authentication. The threat is contained, and
since it’s early in the morning in Los Angeles,
the alert sent to Lisa’s phone is silent.
Later, at work, Lisa uses the data from the
Azure AD logs to generate reports that
provide insight for the company’s CISO
to evaluate the detected issue.
policies that tell Azure AD Identity Protection
what to do, and you can reduce the overhead
of on-call security operations.
CISO essentials: How to empower your 8
defenders and security operations with AI

02.
Protect, detect and
respond to threats 24/7
CISO essentials: How to empower your 9
defenders and security operations with AI

Threat protection through AI simply wasn’t
practical, much less cost-effective, before
cloud computing. With volumes of global data
now measured in petabytes, no enterprise can
detect, respond and recover from breaches
effectively without AI. Layered machine
learning models use a variety of algorithms
and expert rules to correlate threat signals
across attack vectors, which frees up your
team to triage real issues or deal with
complex remediation.

Threat Protection

Correlate security alerts across attack vectors to more

effectively detect and respond to threats.

Sensitive data can be Threat intelligence Office 365 blocks Microsoft Defender ATP
automatically identified from a malicious this attachment and initiates an automated
and classified when attachment is shared removes the file from investigation on all
created. with the cloud all other mailboxes. protected devices.
protection engine.

Threat Protection correlates security alerts
across attack vectors to more effectively detect
and respond to threats. Learning models use
a variety of algorithms and expert rules to
correlate threat signals across attack vectors,
which frees up your team to triage real issues or
deal with complex remediation. Sensitive data
can be automatically identified and classified
when created. Threat intelligence from
a malicious attachment is shared with the
cloud protection engine. Office 365 blocks
this attachment and removes the file from
all other mailboxes. Microsoft Defender ATP
initiates an automated investigation on all
protected devices.
CISO essentials: How to empower your
defenders and security operations with AI
For example, Windows Defender Antivirus uses
layered machine learning models – from client-
based automation and local behaviour-based
detection algorithms, through to detonation-
based models and dynamic analytics – to
SecOps Log Intelligent endpoint security
7:30 AM thwarts a spear-phishing attempt
Morgan is CISO at the global freight
company. She’s heading to the airport when
she starts seeing emails from her leads about
a phishing email campaign that seems to
be targeting the company. An employee
received a well-disguised email on his
personal account, opened the attachment
and infected his machine with malware.
Morgan calls Lisa about the situation. The
company recently upgraded from Windows
7 to Windows 10 with the layered machine
Without AI insights, the manual analysis
of a phishing incident or other type of
cyberattack can take days for a SecOps team,
if not longer. Now, cloud-based AI with access
10
reach a verdict on suspected malware. While
safeguarding email users against malware,
spam and phishing, AI collects insights that
are seamlessly correlated and shared through
the Microsoft Intelligent Security Graph.
learning capabilities in Microsoft Defender
ATP. Morgan is heartened when Lisa tells her
that Microsoft Defender ATP detected unusual
activity on the device, sent an alert and shared
information about the suspected malware
via the Intelligent Security Graph. Office 365
ATP has begun blocking the attachment and
removing it from all other email inboxes.
Microsoft Defender ATP initiated an automated
investigation on all protected devices to
determine if other machines had been affected,
and took action to remove any malware.
to trillions of threat signals can find, investigate
and respond to real threats in minutes rather
than hours or days.
CISO essentials: How to empower your 11
defenders and security operations with AI

Emirates reduces detection and

response times from days to hours
“It’s very significant that those three zero-hour attempts were picked up not by
a human analyst, but by the AI engine operating in the cloud. If Microsoft Defender
ATP continues to advance its AI capabilities, and those capabilities are deployed,
I could see ransomware becoming a thing of the past within the next year or so.”

Vineet Bhatia
Head of CSOC,
The Emirates Group

Read more
CISO essentials: How to empower your 12
defenders and security operations with AI

03.
Reduce alert fatigue by
90% with security analytics
CISO essentials: How to empower your 13
defenders and security operations with AI

Built to scale, evolve and learn in real
time, deep-learning neural networks
(DNNs) model the behaviour of classes
of devices, applications and malicious or
suspicious activity via algorithms, regardless
of whether the AI has encountered
specific conditions previously. Security
systems with deep learning capabilities
provide more sophisticated analytics and
substantially reduce noise in alerts, which
reduces fatigue for IT admins and threat
hunters alike.

Intelligent security analytics

Deliver intelligent security analytics across your enterprise and unburden

your SecOps teams with a cloud-native Security Information and Event
Management (SIEM) solution.

Connect all of your Detect legitimate Investigate with Simplify security

security information threats quickly by an interactive operations and speed
and event sources to using Microsoft AI to visualisation that threat response with
collect data across correlate alerts across uncovers the entire integrated automation
all of your users, multiple services and scope of every attack. and orchestration of
devices, apps and prepare a prioritised list common tasks and
infrastructure. of suspicious activities. workflows.
CISO essentials: How to empower your
defenders and security operations with AI
Data from the Consumer Technology
Association shows that the top use of AI
applications in 2018 was detecting and deterring
security intrusions. Microsoft Azure Sentinel is
a security information and event management
(SIEM) solution that uses dynamic analytics
SecOps Log Active threat hunting
8:15 AM with AI
Lisa checks in with her mentee, Thaddeus,
a recent Navy veteran. Thad’s expertise in
ocean transport logistics got him hired, but
threat analysis is his superpower. Lisa asks him
to investigate the suspicious access attempts
from last night. In addition, Thad is keen
to enable SIEM integration with Microsoft
Defender ATP to provide real-time analysis of
security alerts.
Enhancing human intelligence with technology intelligence
Microsoft Threat Experts is a managed
threat-hunting service that pairs the strengths
of human hunter-analysts with deep learning
algorithms. The service is provided through
14
to help enterprise security teams investigate
suspicious activities, reducing alert fatigue by 90%.
AI technology provides comprehensive, interactive
visualisations of attacks and automates responses
with security orchestration.
Morgan monitors the progress of her team’s
investigations while she travels. Lisa is keeping
an eye on analytics, but she’s also managing
regular meetings and filling in for the CISO.
She decides to use their ‘phone a friend’
option and contacts Microsoft Threat Experts
to assist her team.
Microsoft Defender ATP and uses hunter-trained
AI to help analysts discover and prioritise both
known and unknown attack vectors.
CISO essentials: How to empower your 15
defenders and security operations with AI

04.
Safeguard information
and intellectual property
CISO essentials: How to empower your 16
defenders and security operations with AI

SIEM systems can identify, classify and
label sensitive data, as well as monitoring,
investigating and controlling file access
based on defined policies. For example,
when an employee creates a new document
that contains a credit card number, AI can
apply protections automatically.
Azure Information Protection implements
protection policies that stay with digital
documents wherever they travel in digital
space. Intelligent rules are able to remediate
errors at the source, and preserve any
information gathered in the knowledge base
to improve protection policies over time.

Information Protection
Automate sensitive data classification and apply protections that
follow data wherever it travels.

Sensitive data can be Policy protections automatically Advanced investigation tools

automatically identified prevent unauthorised actions – help admins respond quickly
and classified when created. such as unapproved access or to security alerts.
over-sharing.
CISO essentials: How to empower your
defenders and security operations with AI
Compliance matters
AI helps prevent unauthorised actions – such
as access by non-approved users, over-sharing
or sending a document as an email attachment –
that compromise privacy. These are critically
SecOps Log IT assists with data
11 AM protection
Before the upgrade, the freight company
had been in the habit of emailing ship and
shore contact lists in clear text (unprotected)
to employees, contractors and partners all
over the world. Sensitive information could
have leaked into the wild long ago. With
the help of analytics, Jordan, an IT admin,
identifies a variety of unlabelled data files in
old on-premises file repositories – contact
lists, account numbers, and so forth. At their
morning briefing, he shares his findings about
old files that are unlabelled and unprotected
with SecOps.
17
important capabilities for any enterprise,
but especially for CISOs in highly-regulated
sectors (finance, healthcare, etc.) where strict
compliance matters.
Jordan tells Lisa that IT will take on the project
of protecting the files in the archives. With the
intelligent capabilities in Azure Information
Protection, Jordan’s team decides to classify and
label email messages containing personnel data
as ‘Internal’. The label adds a header of ‘Internal
use only’ to be a visual indicator for all recipients
that the message contains business data that
should not be sent outside the organisation.
Since sensitivity labels are embedded in email
headers, the company’s email system can
inspect this header property and create an audit
entry, or prevent it from being sent outside the
organisation, depending on IT’s policy.
CISO essentials: How to empower your 18
defenders and security operations with AI

05.
Improve security management
with threat intelligence
CISO essentials: How to empower your
defenders and security operations with AI
Given the velocity, volume and variety of
threat vectors, IT and security operations often
need to make trade-offs between maintaining
productivity and locking down environments
to secure them. AI helps organisations to
reduce attack surfaces and assess the impact
of individual controls without having to shut
everything down.
SecOps Log Action plan based on
12:50 PM security insights
Lisa holds an impromptu stand-up meeting
with Jordan and Thad. Thad wants to use
the momentum of recent threats to actively
reduce the company’s exposure to a variety
of attack types, while Jordan is concerned
about the disruptive impact that overhauling
environments will have on regular workflows.
Lisa asks them to take a look at the Attack
Surface Reduction capabilities in Microsoft
Defender ATP.
19
For example, the Attack Surface Reduction (ASR)
rules in Microsoft Defender ATP use machine
learning insights to reduce the total attackable
surface area of an endpoint. Interoperation
with the Intelligent Security Graph means that
the ASR can make adaptive decisions based on
dynamic evaluation of threats.
Thad and Jordan set up a plan to enable device-
based conditional access, hardware-based
isolation for Microsoft Edge and zero-day exploit
mitigations, as well as AI-specific capabilities.
With ASR, they’ll be able to find and safely
disable a range of functionality that would very
rarely be used in business, but that could be used
for malicious purposes.
CISO essentials: How to empower your 20
defenders and security operations with AI

06.
Strengthening security
in app development
CISO essentials: How to empower your
defenders and security operations with AI
Developing and stress-testing new apps
and features is a highly vulnerable time
for an enterprise. Automated services and
intelligent policies help developers and
admins to perform risk assessments on the
software that they build or buy, including
open-source applications.
Microsoft Security Risk Detection is
a good example in this category. It’s an
intelligent service for finding the sort
of security bugs that can bring down a
business, and it covers Windows, Linux
and web applications.
SecOps Log CISO increases security
2 PM with DevOps vendor
Morgan meets with a Seattle vendor that
builds and supports custom web applications
for the freight company. She presents
expectations for the upcoming project,
21
Making app development more secure
demands AI that works on applications hosted
on-premises or in any cloud. Once a risk is found
in an application during use or development,
the entire security platform should work
together to isolate and monitor the application.
Exploit Guard draws on the machine learning
models and artificial intelligence power of the
Microsoft Intelligent Security Graph to identify
vulnerabilities and threats. Windows Sandbox
features in Windows 10 give IT admins a way
to mitigate risk from vulnerable applications
during development and debugging.
including the use of AI-enhanced security
capabilities and risk assessments to protect
builds and environments.
CISO essentials: How to empower your
defenders and security operations with AI
SecOps Log CISO debriefs the
4 PM SecOps team
After the meeting, Morgan checks in with
her team in L.A. She’s pleased to hear that
the morning’s issues are resolved and
they’ve received reports from Microsoft
Threat Experts identifying the most
important risks, as well as additional
details on the scope of the attacks.
SecOps Log Planning for AI to secure
7:30 PM global operations
On the return flight, Morgan flips through
her security presentation. She thinks about
how cloud-based AI capabilities in their
Windows 10 deployment transformed her
small team’s response to contemporaneous
threat events and enabled them to efficiently
22
Lisa also gives a heads-up that some executives
want to install a ‘smart’ video-conferencing
system and will be requesting a meeting.
This may have security implications, so Morgan
makes a note to adapt her security presentation
for this scenario.
defend the company’s global digital estate.
She thinks about how AI insights came up
in every conversation and were featured in
every decision made over the entire day. She
realises that levelling up security strategy for
AI transformation is now Job 1.
CISO essentials: How to empower your 23
defenders and security operations with AI

07.
Facing the future of security:
AI is critical and CISOs are
not alone
CISO essentials: How to empower your
defenders and security operations with AI

The centre of gravity in major verticals is Microsoft AI leads in enterprise security

already shifting to AI-enhanced solutions, because we implement a variety of AI models
and that means that the role of the CISO comprehensively and we diversify signal
is front and centre – not only for securing sources to ensure that the intelligence we
operations with AI, but also for securing receive is as diverse as the threats in an ever-
the AI models themselves. changing landscape. We can help you make
sense of AI and strengthen your security
We’re here to help you with all of it: operations centre.
from making sense of trillions of signals
in cloud telemetry and leveraging deep
learning insights in Azure, to helping you
preserve integrity in the AI models that
inform your business.

Discover how AI can enhance

your enterprise security.

Visit Microsoft Security

© 2019 Microsoft Corporation. All rights reserved. This document is provided ‘as is’. Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any
legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.