Professional Documents
Culture Documents
Contents
01.
Manage identities
and access
07. 02.
Facing the Protect, detect
future and respond
Strengthening
apps
06.
AI 03.
Reduce alert
fatigue
05. 04.
Improve security Safeguard
management information
The digital estates of enterprises are global, are moving the needle in real, quantifiable
complex and ‘always on’. In a perfect world, ways for security leaders and teams.
that’s great for business, but in our imperfect
one it means more exposure to cyberthreats. Read on to learn AI’s role in security
applications and follow the story of
As attacks increase in speed, complexity a CISO and small team as they put AI
and volume, CISOs are facing a shortage of to work protecting their organisation
security talent to recognise risks and protect and optimising operations.
users and data. Fortunately, advances in AI
CISO essentials: How to empower your 3
defenders and security operations with AI
00.
How does AI enhance
cybersecurity?
Machine learning algorithms are trained on Underpinning these algorithms is the
large and varied data sets, from which they Microsoft Intelligent Security Graph, which
develop usable, predictive models. Because uses advanced analytics to collate massive
cyberthreats are varied and constantly amounts of threat intelligence and security
evolving, no single master algorithm or system data from over 6.5 trillion daily threat signals.
of rules can wholly drive enterprise security. The signals in the Intelligent Security Graph
Instead, a comprehensive strategy utilises a are shared across Microsoft solutions in real
diverse, layered set of algorithms and expert time so that these applications can protect,
rules that have different training sets and respond and remediate as necessary.
perform different processes.
CISO essentials: How to empower your 4
defenders and security operations with AI
Outlook
5B
6.5 T OneDrive threats detected Shared threat data
on devices every from partners,
threat signals
month researchers and
analysed daily
law enforcement
worldwide
470 B
emails
analysed 200+
global cloud
Windows
consumer and
Botnet data
commercial
from Microsoft
Enterprise services
DigitalCrimes
security for Unit
90% Microsoft
of Fortune
Xbox Live 18 B+ accounts
1 B+ scanned 630 B
Azure user monthly
accounts authentications
Bing
Azure
CISO essentials:
From one businessHow
owner
to empower
to another
your 5
defenders and security operations with AI
01.
Proactively manage
identities and access
CISO essentials: How to empower your 6
defenders and security operations with AI
Cloud-based AI acts as an important first line for identity and data protection, access
of defence, underpinning many of the tools we control and device management.
use today to set and maintain global policies
Azure Active Directory Identity Protection Security logs are shared through the
uses adaptive machine learning to detect intelligent Security Graph to aid in security
anomalies that indicate potentially alert correlation and investigation across
compromised identities their entire threat landscape
CISO essentials: How to empower your 7
defenders and security operations with AI
For example, Azure Active Directory (AD) And through Azure AD conditional access,
Identity Protection uses adaptive machine the AI can proactively reduce risk to your
learning algorithms and heuristics to detect environment when a risky behaviour or
anomalies and suspicious incidents that sign-in attempt is detected.
indicate potentially compromised identities.
Lisa, a SecOps lead at a global freight one to another. This is a pretty good indicator
company based in Los Angeles, notices an that a bad actor succeeded in logging on.
alert on her mobile about a suspicious access When a suspicious incident is detected, Azure
control issue. Machine Intelligence has AD conditional access policies limit access
detected that Sanjay, their port supervisor to applications or will require second-factor
in Asia, is apparently trying to sign in from authentication. The threat is contained, and
a location that appears suspicious, since he since it’s early in the morning in Los Angeles,
accessed the network four hours earlier in the alert sent to Lisa’s phone is silent.
Kolkata as he normally does.
Later, at work, Lisa uses the data from the
These two sign-ins originate from different Azure AD logs to generate reports that
geographic locations within a window of provide insight for the company’s CISO
time too short to accommodate travel from to evaluate the detected issue.
Intelligent technology helps your team provide policies that tell Azure AD Identity Protection
24/7 mitigation and remediation all over your what to do, and you can reduce the overhead
organisation’s digital estate. You can set the of on-call security operations.
CISO essentials: How to empower your 8
defenders and security operations with AI
02.
Protect, detect and
respond to threats 24/7
CISO essentials: How to empower your 9
defenders and security operations with AI
Threat protection through AI simply wasn’t learning models use a variety of algorithms
practical, much less cost-effective, before and expert rules to correlate threat signals
cloud computing. With volumes of global data across attack vectors, which frees up your
now measured in petabytes, no enterprise can team to triage real issues or deal with
detect, respond and recover from breaches complex remediation.
effectively without AI. Layered machine
Threat Protection
Sensitive data can be Threat intelligence Office 365 blocks Microsoft Defender ATP
automatically identified from a malicious this attachment and initiates an automated
and classified when attachment is shared removes the file from investigation on all
created. with the cloud all other mailboxes. protected devices.
protection engine.
Threat Protection correlates security alerts when created. Threat intelligence from
across attack vectors to more effectively detect a malicious attachment is shared with the
and respond to threats. Learning models use cloud protection engine. Office 365 blocks
a variety of algorithms and expert rules to this attachment and removes the file from
correlate threat signals across attack vectors, all other mailboxes. Microsoft Defender ATP
which frees up your team to triage real issues or initiates an automated investigation on all
deal with complex remediation. Sensitive data protected devices.
can be automatically identified and classified
CISO essentials: How to empower your 10
defenders and security operations with AI
For example, Windows Defender Antivirus uses reach a verdict on suspected malware. While
layered machine learning models – from client- safeguarding email users against malware,
based automation and local behaviour-based spam and phishing, AI collects insights that
detection algorithms, through to detonation- are seamlessly correlated and shared through
based models and dynamic analytics – to the Microsoft Intelligent Security Graph.
Without AI insights, the manual analysis to trillions of threat signals can find, investigate
of a phishing incident or other type of and respond to real threats in minutes rather
cyberattack can take days for a SecOps team, than hours or days.
if not longer. Now, cloud-based AI with access
CISO essentials: How to empower your 11
defenders and security operations with AI
Vineet Bhatia
Head of CSOC,
The Emirates Group
Read more
CISO essentials: How to empower your 12
defenders and security operations with AI
03.
Reduce alert fatigue by
90% with security analytics
CISO essentials: How to empower your 13
defenders and security operations with AI
Built to scale, evolve and learn in real specific conditions previously. Security
time, deep-learning neural networks systems with deep learning capabilities
(DNNs) model the behaviour of classes provide more sophisticated analytics and
of devices, applications and malicious or substantially reduce noise in alerts, which
suspicious activity via algorithms, regardless reduces fatigue for IT admins and threat
of whether the AI has encountered hunters alike.
Data from the Consumer Technology to help enterprise security teams investigate
Association shows that the top use of AI suspicious activities, reducing alert fatigue by 90%.
applications in 2018 was detecting and deterring AI technology provides comprehensive, interactive
security intrusions. Microsoft Azure Sentinel is visualisations of attacks and automates responses
a security information and event management with security orchestration.
(SIEM) solution that uses dynamic analytics
Lisa checks in with her mentee, Thaddeus, Morgan monitors the progress of her team’s
a recent Navy veteran. Thad’s expertise in investigations while she travels. Lisa is keeping
ocean transport logistics got him hired, but an eye on analytics, but she’s also managing
threat analysis is his superpower. Lisa asks him regular meetings and filling in for the CISO.
to investigate the suspicious access attempts She decides to use their ‘phone a friend’
from last night. In addition, Thad is keen option and contacts Microsoft Threat Experts
to enable SIEM integration with Microsoft to assist her team.
Defender ATP to provide real-time analysis of
security alerts.
Microsoft Threat Experts is a managed Microsoft Defender ATP and uses hunter-trained
threat-hunting service that pairs the strengths AI to help analysts discover and prioritise both
of human hunter-analysts with deep learning known and unknown attack vectors.
algorithms. The service is provided through
CISO essentials: How to empower your 15
defenders and security operations with AI
04.
Safeguard information
and intellectual property
CISO essentials: How to empower your 16
defenders and security operations with AI
SIEM systems can identify, classify and Azure Information Protection implements
label sensitive data, as well as monitoring, protection policies that stay with digital
investigating and controlling file access documents wherever they travel in digital
based on defined policies. For example, space. Intelligent rules are able to remediate
when an employee creates a new document errors at the source, and preserve any
that contains a credit card number, AI can information gathered in the knowledge base
apply protections automatically. to improve protection policies over time.
Information Protection
Automate sensitive data classification and apply protections that
follow data wherever it travels.
Compliance matters
AI helps prevent unauthorised actions – such important capabilities for any enterprise,
as access by non-approved users, over-sharing but especially for CISOs in highly-regulated
or sending a document as an email attachment – sectors (finance, healthcare, etc.) where strict
that compromise privacy. These are critically compliance matters.
Before the upgrade, the freight company Jordan tells Lisa that IT will take on the project
had been in the habit of emailing ship and of protecting the files in the archives. With the
shore contact lists in clear text (unprotected) intelligent capabilities in Azure Information
to employees, contractors and partners all Protection, Jordan’s team decides to classify and
over the world. Sensitive information could label email messages containing personnel data
have leaked into the wild long ago. With as ‘Internal’. The label adds a header of ‘Internal
the help of analytics, Jordan, an IT admin, use only’ to be a visual indicator for all recipients
identifies a variety of unlabelled data files in that the message contains business data that
old on-premises file repositories – contact should not be sent outside the organisation.
lists, account numbers, and so forth. At their Since sensitivity labels are embedded in email
morning briefing, he shares his findings about headers, the company’s email system can
old files that are unlabelled and unprotected inspect this header property and create an audit
with SecOps. entry, or prevent it from being sent outside the
organisation, depending on IT’s policy.
CISO essentials: How to empower your 18
defenders and security operations with AI
05.
Improve security management
with threat intelligence
CISO essentials: How to empower your 19
defenders and security operations with AI
Given the velocity, volume and variety of For example, the Attack Surface Reduction (ASR)
threat vectors, IT and security operations often rules in Microsoft Defender ATP use machine
need to make trade-offs between maintaining learning insights to reduce the total attackable
productivity and locking down environments surface area of an endpoint. Interoperation
to secure them. AI helps organisations to with the Intelligent Security Graph means that
reduce attack surfaces and assess the impact the ASR can make adaptive decisions based on
of individual controls without having to shut dynamic evaluation of threats.
everything down.
Lisa holds an impromptu stand-up meeting Thad and Jordan set up a plan to enable device-
with Jordan and Thad. Thad wants to use based conditional access, hardware-based
the momentum of recent threats to actively isolation for Microsoft Edge and zero-day exploit
reduce the company’s exposure to a variety mitigations, as well as AI-specific capabilities.
of attack types, while Jordan is concerned With ASR, they’ll be able to find and safely
about the disruptive impact that overhauling disable a range of functionality that would very
environments will have on regular workflows. rarely be used in business, but that could be used
Lisa asks them to take a look at the Attack for malicious purposes.
Surface Reduction capabilities in Microsoft
Defender ATP.
CISO essentials: How to empower your 20
defenders and security operations with AI
06.
Strengthening security
in app development
CISO essentials: How to empower your 21
defenders and security operations with AI
Developing and stress-testing new apps Making app development more secure
and features is a highly vulnerable time demands AI that works on applications hosted
for an enterprise. Automated services and on-premises or in any cloud. Once a risk is found
intelligent policies help developers and in an application during use or development,
admins to perform risk assessments on the the entire security platform should work
software that they build or buy, including together to isolate and monitor the application.
open-source applications.
Microsoft Security Risk Detection is Exploit Guard draws on the machine learning
a good example in this category. It’s an models and artificial intelligence power of the
intelligent service for finding the sort Microsoft Intelligent Security Graph to identify
of security bugs that can bring down a vulnerabilities and threats. Windows Sandbox
business, and it covers Windows, Linux features in Windows 10 give IT admins a way
and web applications. to mitigate risk from vulnerable applications
during development and debugging.
Morgan meets with a Seattle vendor that including the use of AI-enhanced security
builds and supports custom web applications capabilities and risk assessments to protect
for the freight company. She presents builds and environments.
expectations for the upcoming project,
CISO essentials: How to empower your 22
defenders and security operations with AI
After the meeting, Morgan checks in with Lisa also gives a heads-up that some executives
her team in L.A. She’s pleased to hear that want to install a ‘smart’ video-conferencing
the morning’s issues are resolved and system and will be requesting a meeting.
they’ve received reports from Microsoft This may have security implications, so Morgan
Threat Experts identifying the most makes a note to adapt her security presentation
important risks, as well as additional for this scenario.
details on the scope of the attacks.
On the return flight, Morgan flips through defend the company’s global digital estate.
her security presentation. She thinks about She thinks about how AI insights came up
how cloud-based AI capabilities in their in every conversation and were featured in
Windows 10 deployment transformed her every decision made over the entire day. She
small team’s response to contemporaneous realises that levelling up security strategy for
threat events and enabled them to efficiently AI transformation is now Job 1.
CISO essentials: How to empower your 23
defenders and security operations with AI
07.
Facing the future of security:
AI is critical and CISOs are
not alone
CISO essentials: How to empower your
defenders and security operations with AI
© 2019 Microsoft Corporation. All rights reserved. This document is provided ‘as is’. Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any
legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.