Security Copilot: AI in endpoint management

In recent years, artificial intelligence (AI) has gained prominence in the technology landscape, profoundly influencing how companies operate and innovate; in fact, according to Goldman Sachs Research, it is expected that by 2033 the contribution of AI could lead to an increase in global PIL of 7%; this data clearly demonstrates what the impact of artificial intelligence on global economic growth is and will be.

Furthermore, from an analysis conducted by Forbes, by 2026 it is estimated that over 80% of companies will use Generative AI technologies and/or deploy applications based on algorithms powered by LLM (Large Language Model) systems.
Among these companies, Microsoft certainly cannot be missing which, from this point of view, has made an enormous step forward with the introduction of Copilot in the various technological areas indicated below:

• Microsoft 365 Copilot: Productivity tool designed to integrate with Microsoft 365 by integrating business data with Microsoft Graph and Microsoft 365 apps and services.
• Microsoft Copilot for Azure: facilitates interaction with the user, answering questions, generating queries and executing tasks. Additionally, Copilot for Azure provides personalized, quality recommendations while respecting your organization’s policies and privacy.
• Microsoft Copilot for Sales: application dedicated to the sales experience that uses Microsoft 365 and Microsoft Teams to capture data, access it and automatically record it in a CRM system; enriching insights sets with Microsoft 365 customer engagement data and the power of AI. Copilot for Sales provides salespeople with sales insights that help them understand their customers more quickly to close deals.
• Microsoft Copilot for Service: allows you to create virtual assistants for agents that increase agent productivity and improve customer satisfaction; Using Copilot in this scenario provides real-time responses based on the source of the data provided, which may include websites, SharePoint, files, etc…
• Microsoft Copilot Studio: Provides a graphical development environment for creating generative AI copilots, enabling the creation of sophisticated dialogues and the use of plug-ins, process automation, and pre-built analytics capabilities that work with AI tools Microsoft Conversational.
• Microsoft Security Copilot: is an advanced AI solution designed to improve the capabilities of IT administrators on various areas such as incident response and threat hunting.

Overview

Previously, we talked about the adoption of artificial intelligence in companies, based on various studies and reports; now, to better understand how Copilot works, it is necessary to be clear about some key aspects and terms related to the solution.

What are Large Language Models (LLM)?

Large Language Models, such as OpenAI GPT (GPT-3.5, GPT-4, etc…), Google PaLM and Gemini, are advanced artificial intelligence algorithms capable of understanding and generating text; are artificial neural networks typically built with a transformer-based architecture.
Initially the text is divided into “tokens” (word, character, or a series of characters) in order to allow the model to be able to process the information present. Subsequently, the neural networks predict the next token to define a text sequence. During training operations, the model is thus exposed to large amounts of text and learns to generate predictions based on the context provided by previous tokens.

Based on the above, it is necessary to consider that the LLMs are “black boxes” therefore it is not possible to determine on which data base the model was trained. Consequently, they have generalist knowledge with non-contextualised information on their own company environment; in case you want to use artificial intelligence within business applications, you need to give these models domain knowledge.

What is Retrieval Augmented Generation (RAG)?

To allow LLMs to recover domain knowledge (with consequent elimination of the limits reported previously) it is possible to exploit Retrieval Augmented Generation (RAG): this tool allows LLMs to be enabled to interact with private data (present in a Content Store) which are not part of the dataset that was used to train the model itself.

When a prompt is entered, it is supplemented with additional information such as:

• Grounding data: is the private data that has been found relevant to satisfy the user’s prompt; this information, in the case of Copilot, is retrieved by querying the tenant using the Microsoft Graph solution.
• Chat history: the chat history is maintained so as not to have to repeat the context of the message every time.
• System prompt: it is a prompt that allows you to guide the RAG in providing answers consistent with the desired scenario; in the case of Copilot, being a work tool, a system prompt is used that allows responses to be provided that are as consistent as possible with the business scenario. The system prompt is useful to prevent as much as possible one of the most common problems of LLMs, which is that of hallucinations: hallucinations are nothing more than correct answers from a semantic point of view but the content appears to be totally invented.

What is Microsoft Graph?

Microsoft Graph allows you to take advantage of a unified and protected API to connect to your private data found in the various Microsoft 365 services; in this regard, this service allows you to integrate any output from the LLM with information strictly linked to your tenant.

Security Copilot and Microsoft Intune

As previously reported, Security Copilot is an advanced AI solution designed to improve IT administrators’ capabilities across various areas such as incident response and threat hunting.

If you use Microsoft Intune as an endpoint management tool in the same tenant as Security Copilot, you can query Security Copilot for more information about managed devices and existing configurations.
Microsoft Intune integration with Security Copilot gives IT professionals a powerful tool to improve security and device management within their organizations. Through the use of data-driven insights and advanced capabilities, organizations can gain a clearer, more detailed view of their IT infrastructure and security posture.
Security Copilot therefore allows you to view detailed information about your environment in the context of device management, such as:

• Devices
  • Total number of registered devices
  • Number of devices registered in the last 24 hours
  • Operating system version of the various devices
  • Hardware details related to the device

• Configuration Profile
  • Creation of new Configuration Profiles
  • Details linked to a specific Configuration Profile
  • Which policy conveys a certain setting
  • Differences/similarities between two different Configuration Profiles

• Compliance Policy
  • Details linked to a specific Compliance Policy
  • Differences/similarities between two different Compliance Policies
• Applications
  • Number of applications deployed by Microsoft Intune
  • Groups to which a specific app is assigned
  • Number of apps assigned to a specific device

Privacy and data sharing

Data protection is one of Microsoft’s main priorities, which implements in-depth controls to safeguard companies’ information, ensuring that data management is in line with the companies’ standards in terms of privacy; The interaction between Security Copilot and Microsoft Intune means that the AI service extracts the necessary information directly from Intune, while managing the prompts, the data retrieved and the results obtained.

Before addressing the issue related to data privacy, a premise regarding the services used in the integration between Copilot and all the solutions integrated with it is appropriate: the OpenAI models used (GPT 3.5 – GPT 4) are hosted directly on Azure, on a service called Azure OpenAI. Through this solution, Microsoft is able to ensure that no services external to its cloud are used, consequently, you have full control over the security, privacy and regulatory policies of these services.

Following what is indicated above, Microsoft’s policies on this topic are very clear as there are implications on the company data processed: all information is not shared with OpenAI, used for commercial purposes, shared with third parties, but above all it is not used to re-train the models.

Security Copilot also provides preferential interaction with the data centers closest to the user’s region, with the possibility, during peaks of use, to exploit the capacity of data centers located in other regions, while ensuring that the data is not never transferred outside the region of origin. Data management follows specific geographical criteria: for organizations with data in the United States, processing takes place exclusively in the United States, while for companies with data in other regions, processing can take place in the United States, the United Kingdom or the European Union. European, depending on available capacities.

In particular, Microsoft has implemented additional measures to ensure data compliance in European Union countries: through the EU Data Boundary data residency solution, companies will have the ability to process and store data within the EU for all Microsoft cloud services such as Microsoft 365, Azure, etc…
Regarding Copilot, this solution allows EU traffic to be processed by the Azure OpenAI service in the United States, but with a firm guarantee that no customer data is stored outside the European Union, thus enabling regulatory compliance premises in terms of privacy.

References

Here are some useful references to official documentation:

• What is Microsoft Security Copilot?
• Microsoft Security Copilot prompting tips
• What is the EU Data Boundary
• Data, privacy, and security for Azure OpenAI Service

Conclusions

Artificial intelligence, with particular reference to Large Language Models (LLM) such as GPT-3.5 and GPT-4, is revolutionizing business practices; Retrieval Augmented Generation (RAG) is a key technology to overcome the limitations of these LLMs, allowing them to interact with private data.
Microsoft, with the introduction of Copilot, offers advanced solutions to further improve productivity, security and data management, while ensuring maximum protection and regulatory compliance in terms of data privacy.