The Future of Security with AI | KEY03H
[Music] please welcome Charlie Bell and Basu Jak [Applause] [Music] call well it's great to be here and um I'm uh super excited with what we're about to talk about yeah good morning everyone I hope you've had your coffee and tea and well hydrated it's great to be here with you all and Charlie and I are excited to talk about about security and what we up to here at Microsoft you know I've been in this industry for more than 40 years uh I joined Microsoft two years ago in my prior role running a large public Cloud it was very clear that the cyber security problem was growing at an alarming rate and it's very difficult for customers to deal with this incredible challenge we don't have to look further than today's headlines to see the impact from ransomware Espionage and even the use of cyber as a weapon in War what the headlines make clear is that there's an Ever growing sophistication in the anti-economy of cyber crime every day cyber criminals are launching sophisticated and targeted attacks on organizations and individuals exploiting vulnerabilities in systems networks and devices not too long ago we saw the exposure of an HR department in one of the Cyber criminal organizations for God's sake they even had an employee of the month ransomware has truly become a gig economy that is so true Charlie this whole anti-economy and the speed the scale the sophistication of these attacks has really become exponential we're seeing 10x the increase in password related attacks growing from 3 billion to 30 billion in the same time frame year over year and along with the number of attacks the number of attackers is also growing really fast Microsoft Is Now tracking 300 plus significant actors across Financial crime and nation state that's up from 200 just last year and the consequences of these attacks can be devastating and if that was not daunting enough we are also facing unprecedented complexity today on average organizations use 80 security tools yes 80 now talk about fragmentation and not only that they're expected to stitch these tools together they're expected to make sure that the data and the Insight flow seamlessly from one tool to the other and they all work effectively and they have to do that while there's a massive glob Global Talent shortage we have 3.4 million jobs worldwide unfulfilled in security and with the dawn of AI nearly one out of three Business Leaders are worried about the data loss due to improper use of AI the odds Charlie are definitely not in the favor of Defenders right now now you're right V Sue um globally the cost of the cyber crime anti-economy is expected to reach over8 trillion doar to put this in perspective if the drag on the world's gdps through cyber crime were itself a world economy it'd be ranked number three behind the US and China and the cyber crime anti-economy is growing far faster than the fastest growing economy in the top 20 that's India think about that for a moment cyber crime as the third largest economy and the fastest growing economy it's mind-boggling the speed the scale the sophistication of these attacks tax combined with the security Talent shortage and the operational complexity that we all are dealing with are giving attackers an asymmetric advantage over defenders today attackers only have to be right once but we Defenders have to be right 100% of the time no wonder cyber security is one of the most pressing challenges of our time and this requires a paradigm shift there's no question that Microsoft is the leader in this shift we bring together three critical advantages that exist nowhere else large scale data threat intelligence the most complete end to-end protection and industry-leading responsible Ai and these three advantages really power a flywheel of innovation as security becomes more connected through Cloud greater visibility spins the signal processing power part of the flywheel which in turn generates insights leading to better threat protection from threat protection we drive better detections which give us a deeper understanding of proactive actions we can take in the administration of our security posture and this Crees greater safety which attracts more Cloud adoption this flywheel has been spinning for a while but now has the turbocharge of AI rotating it from the center at machine speed and we all becoming safer and safer so shall we talk more about the flywheel Charlie for sure let's take let's take a look at each of these sections of the flywheel the three advantages and let's start with signals now signals matter deeply because you cannot protect what you cannot see the large scale data Advantage is what Microsoft security brings to the table we bring the inside light of 65 trillion signals every single day and these help us understand exactly what the attackers are doing and it helps Empower you to protect yourself against these attacks now we coupled that with the expertise of global threat intelligence and the Insight of attack behaviors from more than a million customers and over 15,000 Partners the next section of the flywheel our next Advantage is end to end protection to protect your digital estate your organization comprehensively you need to secure everything you need to secure your data your identities your apps Cloud infrastructure and so on and on else is like locking a door with six locks and having your windows open that's not great so Microsoft security helps you protect your environment from every angle security compliance identity management and privacy integrating 50 categories to form one end to end Microsoft security cloud composed of six product families Defender and Sentinel are threat protection family and Cloud Security Solutions bvw and priva are data security compliance and privacy Solutions enter and in tune our identity and access Solutions and these products together form a flywheel of protection where each one Builds on and strengthens the other and that you pointed out we've made a ton of progress on end to end protection but with generative AI we can take a giant step forward one so large that we'll finally tip the scales in the favor of Defenders we can now harness everything we see and everything we own with AI expertise that transcends the knowledge that any one individual could amass as you heard from SAA yesterday Microsoft has been Allin on AI for a very long time and is a leader in bringing generative AI to organizations worldwide we understand the full stack both what is required to create AI applications and operate them safely and securely at scale by the way I'm sure you're going to hear a lot of noise from Legacy security vendors who will be AI washing their current products I do expect that this will be largely chat applications but Microsoft security co-pilot is much more than that we started with the most advanced AI model from open AI which today is GP 4 but will be constantly improved we then add a Microsoft developed security specific model constantly revised Dynamic threat intelligence an Ever growing library of cyber skills and prompt books all running on Microsoft's secure and reliable AI infrastructure in general chat apps handle your request by making a single call to a large language model we call that an inference typically one request results in one inference for for security we make up to a dozen inferences or even sometimes more to handle the breadth of data the complexity of the data and to make sure we answer accurately and with an answer that's well grounded security co-pilot isn't just summarizing a prompt it's reasoning over multiple data sources to do at machine speed what would take hours for a human to do you heard from Saia how Microsoft is announcing more than 100 updates today across the entire staff we introduced security co-pilot last March and today I can't wait to show you how we're bringing those AI capabilities into every part of our security portfolio super super exciting isn't it but before we get to these announcements for those of you who may be new to security co-pilot our new generative AI solution purpose built for security let me take a moment to do a brief introduction security co-pilot as Charlie said is the first and only generative AI security product that builds upon the very latest models of gp4 AI to defend organizations at machine speed and scale which is really important it's continuously learning from Microsoft's unmatched Global threat intelligence are security data and the security skills usage to deliver users tailored insights for the organization to harden their defenses and enable much much faster response with security co-pilot you can ask natural language questions to quickly and easily understand what's happening in your environment you can ask security co-pilot anything about security from what incidents you should focus on what is the impact your organization and most importantly what to do about it it will recommend next steps so cool that Su look I got to tell everybody I've been in this industry for a while I lived through many disruptive changes in technology I am so proud of the Microsoft security engineering team who've innovated around this new capability of artificial intelligence I mean what the team has done building this technology is frankly astounding uh the teams of Security Professionals in Microsoft deal with attacks every day they defend our customers they defend Microsoft and now they brought to life security co-pilot to help it and Security Professionals supercharge their skills collaborate better and catch attacks that may be missed due to Tool fragmentation and talent shortages these are really important things for us to solve and we are innovating rapidly to integrate co-pilot into all of our security and compliance experiences as well as expanding our end-to-end capabilities because we want you to have the best and to show you how we're empowering each of these important roles as part of our unique comprehensive approach to security we will take you through an imaginary threat let's start with security operations the team that uses Defender and Sentinel daily to analyze and investigate incidents okay let's get there this is a typical fishing email that many of us have seen b have you ever seen one of those tricky emails that uh Brett uses to test us all I I believe I have Charlie Brett aiso he's trained us well not to click on any links a single click can result in any type of compromise from identity theft to malware injections to network intrusions if our user Jonathan from sales is compromised that could give attackers access to sensitive customer and financial data every suspicious activity every click on fishing email creates a flurry of alerts for the security operations team they have to triage hundreds of alerts per day alert fatigue can result in undetected threats that fly low and slow under the radar the problem is often multiplied because alerts are spread across a bunch of different security tools from Identity and access management to email security to endpoint management to Cloud security and so on for decades security operations teams have been dealing with siloed security tools yes and to add to that in recent years we have seen the rise of these threats and as a result we're seeing the rise of extended detection and response or xdr to consolidate some of these signals and there's security information and event management or Sim Solutions which aggregate these security signals from other sources both really important and in many organizations xdr and Sim are the two main tools that the security operations team use but wouldn't it be wonderful if we could bring them together and I'm thrilled to announce that we are bringing together Microsoft's xdr solution Defender and Microsoft Sim Solutions Sentinel to create the industry's first unified security operations platform we're taking the industry from a world of many to a world of one breaking down these silos and we're bringing the power of Microsoft security co-pilot to bear so Defenders can have a generative AI companion their co-pilot with security specific skills shell repo is now going to come out and show us how this all works now shered has a deep history as a Defender she has led red teams she has led threat researchers these are people who are on the front lines of security and in many ways they are your first line of defense for the world so let's bring shared over shared so every second counts when it comes to an active incident analysts and security operations centers are always always working to reduce their meantime to respond to help them we've reimagined security operations with a streamlined workflow that delivers the best of Microsoft Steam and xdr capabilities enriched with more AI more Automation and more guidance this is what that looks like all the highlights and capabilities from your seam xdr and security co-pilot are right here so I have one view of all the ACT active incidents across all of my tools alongside threat intelligence so I can get the threat and tell that I need quickly and I have one unified list of incidents to work from spanning seam and xdr now if you're a security analyst you know this is gold if you are not a security analyst let me tell you this is gold each incident combines alerts from seam xdr and Cloud protection into a comprehensive package that gives a full view of how an attacker moves across an organization this means more meaningful insights brought to the analyst automatically so let's look at this incident at the Top This is a financial process manipulation on sap so Microsoft Sentinel has a fantastic solution for protecting sap out of the box monitoring no manual playbooks to run this is new we're bringing sap events collected by Microsoft Sentinel together with Microsoft Defender xdr which has automatic attack disruption capabilities so what we get is aack disruption that extends to sap so what this means is that my threat was stopped even before it turned into an attack that was never possible before so Jonathan the user that Charlie just told us about seems to be at the center of this attack but it was stopped on two levels first his SAP account was locked to keep the thread actor from taking actions like redirecting payments to themselves second his act of directory account was locked to keep the thread actor from using it to access anything else in the organization security practitioners will call that lateral movement it can be really dangerous this was done all automatically for me the power of seam and xdr together you get more automation more confidence and ultimately a more secure organization and I have the power of co-pilot built in co-pilot guides me through the investigation helping me catch what others Miss for first it analyzes the incident provides me with a detailed description and it looks like Jonathan our user clicked on a malicious URL in a fishing email his sap credentials were stolen but now attack disruption has already done its work so this specific threat was contained however co-pilot knows that thread actors often launch multiple attacks and it's important to hunt for additional damage from this particular threat actor co-pilot has a skill to identify attackers from IP addresses so it matches the IP address for this incident to the cyber crime group tracked as storm 0928 but it doesn't stop there co-pilot then builds a hunting query in natural language to find any more damage caused by storm 0928 and it automatically prompts me to run it I will take that suggestion and co-pilot finds an additional PC that was attacked and now I can add that into the incident so this unified platform makes it super easy to manage my operations I'm not doing any copying and pasting between tools I don't need to keep of keep track of anything in my head I don't even need to write a query using a query language like kql co-pilot figures it all out it guides me through the process and in a recent study we did to measure the productivity impact for early and career analysts participants using co-pilot demonstrated 44% more accurate responses and they were 26% faster so here I see a script was downloaded to the device and it's important to understand what that script actually did so I can be on the lookout for any other potential impacts from this thread actor understanding militia scripts is an advanced skill set but not a problem co-pilot does this analysis for me it gives me an easy to understand description of what this script did so it's helping me get better at my skills so we go back into the incident co-pilot guides me to remediate the issue get Jonathan's account back to a clean State and from there I run my remediation Playbook to revive Jonathan's account when I'm done co-pilot resol resolves all the related alerts it gives me a comprehensive incident report incident reports used to take hours to write they always seemed like something was left out but remember a minute ago when I said every second counts during an investigation well as all of you know every brain cell counts too with this unified sock platform and built co-pilot it's not just about saving a few clicks here and there it's about reducing the mental burden for analysts so that they can do their best and most creative work we want them to be able to make an impact to the overall security Community remember security is a team sport well thank you shared that was awesome such a game changer for security operators super cool that was awesome and I just love love love Charlie how co-pilot and how our tools are helping analysts really expand their skill sets well now the job is not done when we complete this investigation imagine our user Jonathan who is the center of that incident has his account restored and gets back to work but he's asked to present a second factor of authentication when he logs in he thinks that's a little funky and he's a little sensitive after being fished so he puts in a help T ticket by the way you guys should all cheer that because you want your people to file help Des tickets right and that ticket is now routed to the it admin responsible for managing identity and access they use entra Microsoft's multicloud identity and access solution that allows you to protect any identity and provide secure access to any resource think about that any resource that's a really big scope so things start getting complex really fast but I have great news for all of you especially all our identity admins we are embedding co-pilot in entra to help simplify and speed up your work and to share more about this let's welcome Scott Woodgate who's been working on security products for a long time and Is Awesome on state Scott there you now troubleshooting user access issues quickly is instrumental to ensuring that users are productive but sorting through lots of logs can be difficult let's see how co-pilot and intra simplify the complex for better identity access now here in intra I asked co-pilot in natural language to explain why Jonathan was forced to use MFA co-pilot figures out what is happening why it's happening and what I should do about it and it brings me the answer in natural language with all those important details I need to solve the problem like policy information and signin data then co-pilot recommends that I explore failed signin that happened in the last 24 hours now most likely that's related to risky users it used to take me a long time to figure that step out but co-pilot can do that for me too and so now I can fix user issues before they become a problem with entra and co-pilot I can get users what they need faster than ever before but Scott I love how co-pilot applies identity specific skills to suggest the next step there so it's not just really saving you time it's helping you C something that you may have missed and that is a big deal because up till now go pilot has been focused on helping security operations helping teams do incident investigation we are expanding it to help identity admins do their work but let's keep going because we are now looking at that next thing on how can it help device admins do their work so that's exciting yeah that's another really critical member of the team the it admin who manages devices enforcing the right policies on your endpoints can eliminate whole categories of threats to keep you compliant imagine the team is concerned about that fishing campaign we saw and the we've been looking at and they decide they want to add some protection with stronger device management policies they need to make sure they aren't going to disrupt everyone else in the company well we are so excited that we are making co-pilot available to device admins by embedding it in in tune so Scott will you show us how that works of course are there any device admins in the audience device management policies are so important of course for both governance and security but understanding the impact of these changes on existing environments can frankly take it or device administrators hours and result in misconfiguration let's see how co-pilot and InTune simplify the complex for better device management now here in InTune I asked co-pilot in natural language to create a new policy to block users using these guys removable drives co-pilot guides me right to the removable drive storage policy but here's where it gets really interesting co-pilot runs what if analysis pulling data from multiple sources to understand the current uses of the policy and the impact on my organization of turning this on more broadly so that I can address potential issues up front how cool is that so let's look at an example here co-pilot figured out a previous admin had deployed an override policy to enable removable storage for the marketing division uh which of course conflicts with my new policy so I can now get together with the marketing team and figure that out and keep my users productive so with co-piloted in tune I can roll out policy changes with more confidence than ever before well that's awesome that's really really cool having that impact analysis before you roll out a new policy is almost like being able to to see into the future and talking about seeing into the future let's talk about perview and go pilot yeah there's one more potential consequence of that fishing campaign imagine what would happen if we didn't have attack disruption so the attack wasn't stopped and the attacker was able to use stolen credentials to access customer data now we got to do a data loss investigation you know everyone in the organization needs access to data and it's scattered everywhere for many organizations that includes multiple clouds data loss investigations can be super complex and that's why we are embedding co-pilot in Microsoft perview our data security and compliance solution to make it easier than ever to protect your data so Scott let's take a look at that all right PIV let's go data security is critical and teams need to quickly understand and of course resolve high priority alerts let's see how co-pilot and perview can catch what others Miss for better data security now here we have many high priority data loss prevention alerts and I need to understand this specific alert about an Excel file that contains customer data let's see how co-pilot can help us co-pilot figures it out for me and uses its skills to bring together information from multiple sources including things like credit card information and also user Insider risk levels now while I'm here let me show you two more compliance scenarios where co-pilot can help very briefly here you can see co-pilot helps me quickly address Insider risks bringing me the details that I need and here co-pilot actually quickly evaluates a meeting transcript and it finds policy in violations in this case stock manipulation all for me with perview and security Cod co-pilot I can diagnose data security and compliance OTS faster than ever before thank you so much Scott that was awesome you're awesome thank you so what you just seeing is how we're taking co-pilot and putting it in the hands of both security and it professionals to help you do your work from identity management to device management to data management co-pilot is here to help you figure out what's happening and how to fix it and what you got to do next in addition we are expanding our endtoend security capabilities with Investments across the whole portfolio now there's so many of these and we wanted to share some of the big ones with you right now everything we do in security we do it with an eye toward protection for your entire digital estate all your clouds and all your platforms forms as such we're extending perview data security capabilities to cover your data structured and unstructured no matter whether it lives in the Microsoft cloud or on another Cloud yeah continuing the multicloud theme in Microsoft Defender we're investing to give you all the security controls and insights you need to keep your systems protected from the first line of code to operating in the cloud any cloud and in Microsoft entra we're expanding the capabilities of our internet access and private access products these you may remember are the security service Ed solution we announced earlier this year and in in tune we're introducing new solutions for advanced device management analytics to help you manage pki and Enterprise applications you know Charlie there's no better way to show the power of our endtoend security portfolio than to hear it directly from customers who are using it so we are so thrilled to hear from wtw how they are using the Microsoft security portfolio let's take a [Music] look wtw is a global Business Services organization which looks at risk mitigation and risk strategies we are protecting a lot of personal information our clients expect us to monitor protect and secure their data we have 55,000 workstations we have about 17,000 workloads operating as infrastructure service but we also have platforms of service capabilities also running on a z wdw technology has been going through significant transformation exercise over the last couple of years so much so that we've moved the majority of our technology estate into to Microsoft iser greater than 90% of our applications are all running in the Microsoft cloud estate wtw's technology strategy and security strategy is very much moving towards zero trust and from from an identity management perspective the Microsoft enter ID Suite of tools is how we are going to manage identities going forward our security tooling is really based around um the Microsoft Defenders on both workstation and cloud and we feed that into Microsoft Sentinel as our Sim of choice as we migrated into the defender and Microsoft Sentinel ecosystem away from our Legacy tool sets working with our partner we were very conscious of the amount of data that we were storing and processing and we changed the profile of data going into our seam from almost 15 terabyt a day to Less Than 3 terabyt a day which completely changed the cost profile of processing our security data if you look at the ecosystem which is the monitoring and Telemetry ecosystem we' saved the order of magnitude $56 million a year so Microsoft security co-pilot I envisage as being a change accelerator it's going to allow me to really change the metrics on how I measure my security operations one of the real advantages that we get from the Microsoft security co-pilot is the ability to do threat hunting at pace which means that I'm able to reduce my meantime to investigate and the quicker I can do that the better my security posture will become we are embedding security practices and principles within everything we do and that for me is Success because if I can get the whole organization thinking that they need to think securely and they need to protect data then actually we've won the [Music] battle well I hope you enjoyed that we are so grateful to wtw for being part of our journey now that we've seen how generative AI is supercharging your work and it let's take a look at how we secure and govern the use of AI across our organizations we talked a lot about how we use gen to do security but you'll use gen across many facets of your work in life to help you innovate confidently using geni we have to ensure that security is built into the foundations as you develop new Genai capabilities um and you have the security tools to protect them as Scott shared in his keynote Microsoft's responsible AI framework ensures that we are building deploying and using AI with safety security and privacy at the center in addition to the work we are doing on responsible AI we also have to make sure that we are building foundational Technologies and we are really looking around the corners this is the secure future initiative that we recently announced it's not just about threats we see right now but anticipating the future threats and building the security we need today to prevent those attacks tomorrow the first part of this is that we're transforming the way we build software and making sure that we build securely in as it's just built into the process it's a dynamic secure develop vment life cycle as you know we launched a secure development life cycle 20 years ago and now we're evolving it for the new age of AI we're also strengthening identity protection and we're setting a new standard for the speed at which we address vulnerabilities as I said in the beginning attackers are moving much more quickly and our ability to move even more quickly than they do is critical in addition to the security at the heart of our product development we're also investing in tools and guidance to to help you manage AI specific risks and build AI applications securely and we at Microsoft uniquely enable you all to securely govern AI including Microsoft co-pilot and thirdparty generative AI with new capabilities across our security product portfolio we're excited to share all this with you today as organizations worldwide adopt generative AI in their work work their security teams are in a unique position as they must decide which apps are best for their users as well as the protections needed to keep their data safe this is a broad spectrum of generative AI applications and they need different protections based on the risk these pose for example some apps might not meet your security standards and you may need to limit the use of those apps for others you might need some controls to enable organization-wide adoption you need to understand your use of AI protect the data it uses or creates and govern the way it is is used so let's start with understanding the use of generative AI so critical for us today because we are all using it yesterday we announced that Defender for cloud apps has extended its Rich Discovery capabilities to over 400 generative AI apps so now defend of for cloud apps lets you see all the AI apps news understand the associated risk with it and you can approve or block the use of an app and the new AI Hub in Microsoft purview gives you your security team valuable insights into AI activity including an aggregated view of the sensitive data flowing into Ai and the number of users interacting with AI That's for both co-pilot for Microsoft 365 and other commonly used consumer AI tools so perview and Defender together help you understand your use of Microsoft mic Microsoft go pilot as well as non-microsoft AI right Vu next you need to think about how you protect the data that AI accesses and creates in Microsoft purview we continue to strengthen AI specific capabilities to do just that purviews protection capabilities are built into co-pilot for Microsoft 365 the output of co-pilot inherits the same sensitivity labels as the files that were referenced when you draft with co-pilot and similarly in co-pilot chat the conversation also inherits the label that's great Charlie and last let's dive into how we govern what users do with AI in perview we are also providing compliance controls for co-pilot so that you can easily comply with business or regulatory requirements as an example you can detect policy violations and compliance comp in communication compliance for co-pilot prompts and responses these are just a few examples and this is just the start we at Microsoft security are deeply committed to helping you protect your data no matter where it lives or travels including your AI data as you heard from us today AI is changing our world forever and is empowering us to achieve the impossible to elevate the human potential we are thrilled to use generative AI for security and to provide security for AI these Innovations will Usher in a new era that finally dips the scale in favor of Defenders security is the most defining challenge in our world today it's the number one priority for organizations and perhaps we have one of the most consequential Technologies on our hands in AI which is going to change the future but we're at the very beginning and it's going to take a village to build it to use it and to support it Microsoft is privileged to be a leader in this effort and committed to a vision of security for all now more than ever let's secure the world together thank you all for what you do and thank you for being here thank you we help people connect all over the UK through our you of telephone services Broadband gaming TV Etc BT group operates in over 170 countries worldwide Our Brands are BT e plusnet and open reach e is the country's leading mobile provider my role as Enterprise Arctic is looking where the industry is going and to separate what's going on today with what's needed in the future we recognized very early on that different businesses had their own way of auth things inating and it became quite confusing we needed to simplify how our mobile e customers interacted with us the key challenge that we've had is to try and build something that's reusable something that's common something that can be adopted by every line of business yet provide worldclass security modern authentication standards using open industry standards and having a clear path towards distributed identity verified identities we've enabled that by creating a framework we call it the Le authentication framework saf for sure this is a common Suite of capabilities that we can use across any line of business but provides a consistent set of experiences and services around authentication that serve both business and consumer saf is 100% Azure it's Cloud first Cloud native built on entra ID external identities using Azure functions using Sentinel as our security incident and event monitoring solution we're now able to get so much Telemetry out of our user behavior on what's going on both good and bad that it enables us to work in real time in actually trying to solve those situations where we might see an attack of some sort we're able to see those alerts and monitor them and react faster than we've ever done before this year we did the Champions League final and the Europa League final using ENT ID we processed over a million IDs in about 4 minutes and it just worked brilliantly just proves how Cloud first Cloud native scales exactly the way we want it to we had Microsoft people on standby but there wasn't much to do it just works it is secure and it enables our customers to get to where they want to go with this little friction as possible making sure we get things right and connect for good means actually protecting customer data for [Music] good all
2023-11-29 16:51