AI Under Attack: Building Zero Trust Security with Microsoft Copilot, Azure & Microsoft 365 - Mourtaza Fazlehoussen [MVP]
![AI Under Attack: Building Zero Trust Security with Microsoft Copilot, Azure & Microsoft 365 - Mourtaza Fazlehoussen [MVP] AI Under Attack: Building Zero Trust Security with Microsoft Copilot, Azure & Microsoft 365 - Mourtaza Fazlehoussen [MVP]](https://metaimg.podpage.com/IAIr9F0oxOY07snsEK2O0jksHcgQkxOMvF87BG5HwXA/eyJoIjo2MzAsIm0iOiJibHVyIiwidSI6Imh0dHBzOi8vZDN3bzV3b2p2dXY3bC5jbG91ZGZyb250Lm5ldC90X3Jzc19pdHVuZXNfc3F1YXJlXzE0MDAvaW1hZ2VzLnNwcmVha2VyLmNvbS9vcmlnaW5hbC9kZDdlZGExMzAwZWFhY2I2YjA5Mjg3ZmZmYzVkMjA3ZS5qcGciLCJ1MiI6Imh0dHBzOi8vZDN3bzV3b2p2dXY3bC5jbG91ZGZyb250Lm5ldC90X3Jzc19pdHVuZXNfc3F1YXJlXzE0MDAvaW1hZ2VzLnNwcmVha2VyLmNvbS9vcmlnaW5hbC8wMzY5Y2E5OWQ1OWJiMjNjZDBmYTFhNWE0Mzg3NDI0My5qcGciLCJ3IjoxMjAwfQ.webp)
![AI Under Attack: Building Zero Trust Security with Microsoft Copilot, Azure & Microsoft 365 - Mourtaza Fazlehoussen [MVP] AI Under Attack: Building Zero Trust Security with Microsoft Copilot, Azure & Microsoft 365 - Mourtaza Fazlehoussen [MVP]](https://d3wo5wojvuv7l.cloudfront.net/t_rss_itunes_square_1400/images.spreaker.com/original/dd7eda1300eaacb6b09287fffc5d207e.jpg)
Artificial intelligence is transforming cybersecurity faster than any technology before it. But while AI helps defenders automate investigations and respond to incidents faster, it also gives cybercriminals powerful new capabilities. In this episode of the M365 Show, Microsoft MVP, CISO, technology evangelist, and international speaker Mourtaza Fazlehoussen joins Mirko Peters to discuss how organizations can embrace AI without increasing their security risks.
FROM CLASSIC CYBERSECURITY TO AI-POWERED DEFENSE
Mourtaza shares his journey from programming on MS-DOS systems and Microsoft technologies to leading enterprise security initiatives around the world. Drawing from decades of experience across Europe, Africa, and Asia, he explains how the cybersecurity landscape has evolved from protecting networks to defending identities, cloud platforms, AI workloads, and intelligent agents. The discussion highlights why security today requires continuous adaptation as attackers become increasingly sophisticated with AI-powered techniques.
WHY BUYING MORE SECURITY TOOLS DOESN'T MAKE YOU MORE SECURE
Many organizations continue investing heavily in cybersecurity products but still struggle to improve their overall security posture. Mourtaza explains why technology alone is never enough. Successful security depends on adoption, governance, integration, operational processes, executive support, and continuous monitoring. Without these elements, even the most advanced security platforms remain underutilized while employees create new risks through Shadow IT and Shadow AI.
AI HAS CHANGED THE ATTACKER'S PLAYBOOK
The conversation explores how generative AI has fundamentally changed phishing attacks, social engineering, and identity-based threats. Modern attackers no longer send emails filled with grammar mistakes. Instead, they use AI to create highly personalized campaigns based on publicly available information from platforms like LinkedIn. Mourtaza shares a fascinating real-world example of attackers compromising an organization through a malicious restaurant menu PDF after researching employee behavior.
MICROSOFT SECURITY COPILOT EXPLAINED
What exactly is Microsoft Security Copilot, and how does it differ from Microsoft 365 Copilot? Mourtaza explains that Microsoft Security Copilot is designed specifically for Security Operations Centers (SOC) and security analysts. Rather than replacing security professionals, it acts as an intelligent assistant capable of:
- Prioritizing security alerts
- Correlating incidents across Microsoft Defender, Sentinel, and Intune
- Generating investigation summaries
- Accelerating threat hunting
- Helping junior analysts perform at a much higher level
BUILDING AI GOVERNANCE BEFORE DEPLOYING AI
One of the central themes of this episode is AI Governance. Organizations cannot simply deploy AI assistants and hope everything remains secure. They need governance frameworks covering data classification, approved AI services, access control, responsible prompting, compliance requirements, and continuous monitoring. Mourtaza explains how Microsoft Purview, Azure AI Foundry, Microsoft Defender, Microsoft Entra ID, and Microsoft Security Copilot work together to establish responsible AI governance while supporting regulations such as the EU AI Act, GDPR, DORA, CRA, and NIS2.
ZERO TRUST IN THE AGE OF AI
Zero Trust remains one of Microsoft's core security principles—but AI expands its importance. The discussion covers why organizations must:
- Verify every identity
- Apply least privilege access
- Assume breach
- Secure AI agents like human identities
- Monitor prompts, data access, and AI behavior continuously
INSIDE A RANSOMWARE INCIDENT
Mourtaza walks through the critical first hour after discovering a ransomware attack. He explains the importance of rapid detection, containment, investigation, executive communication, evidence preservation, business continuity planning, and disaster recovery. Microsoft Security Copilot can significantly reduce investigation time by automatically correlating events and generating incident summaries, allowing security teams to focus on response rather than manual analysis.
KEY TAKEAWAYS
AI is changing cybersecurity for both defenders and attackers. Organizations must combine modern security technology with strong governance, identity protection, Zero Trust principles, and continuous monitoring. Microsoft Security Copilot is an incredibly powerful assistant—but it complements security professionals rather than replacing them. As Mourtaza concludes, governance is the foundation that enables organizations to innovate with AI while maintaining trust, compliance, and resilience.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
00:00:00,000 --> 00:00:08,440
Yeah, welcome to another episode of the N365 show podcast where we explore the technologies,
2
00:00:08,440 --> 00:00:14,800
strategies and people shaping the future of the Microsoft 365 Azure security at I and
3
00:00:14,800 --> 00:00:16,120
modern world places.
4
00:00:16,120 --> 00:00:28,680
Today I'm joined by Wutasa, fails housing, Microsoft LDP, CISO, for chair I, dot com, technology
5
00:00:28,680 --> 00:00:33,280
evangelist and international speaker, which was also spend years helping organization build
6
00:00:33,280 --> 00:00:39,920
secure scalable cloud environments by navigating the rapidly changed landscape of a iPod
7
00:00:39,920 --> 00:00:45,840
cybersecurity as Microsoft co pilot, AI agent and intelligent automation become a part
8
00:00:45,840 --> 00:00:50,040
of everyday business security teams face and entry in new challenge.
9
00:00:50,040 --> 00:00:54,400
How do you embrace AI without introducing new risk?
10
00:00:54,400 --> 00:01:00,640
How do zero trust evolve in the age of AI and what role do Microsoft 365 Azure and Microsoft
11
00:01:00,640 --> 00:01:05,760
security play and protection the model enterprise today we will explore a eye governance co
12
00:01:05,760 --> 00:01:10,640
pilot security zero trust architecture identity protection cloud security and whatever
13
00:01:10,640 --> 00:01:15,480
I do show bow before deploying I I across their organization.
14
00:01:15,480 --> 00:01:18,000
Well, welcome to the show.
15
00:01:18,000 --> 00:01:20,080
Thank you so much, Mirko for inviting me.
16
00:01:20,080 --> 00:01:21,400
That's really nice.
17
00:01:21,400 --> 00:01:24,800
Yeah, thank you.
18
00:01:24,800 --> 00:01:29,760
Yeah, can you before we did that if can you tell us a little bit about you and your journey
19
00:01:29,760 --> 00:01:30,760
into cybersecurity?
20
00:01:30,760 --> 00:01:32,720
Yeah, yeah, sure.
21
00:01:32,720 --> 00:01:40,320
So, Mirko, basically I'm from, I'm an Indian, I'm an Indian origin, however, opponent brought
22
00:01:40,320 --> 00:01:47,840
up in Madagascar and in 1997, like, you know, I got my first computer that was gifted by
23
00:01:47,840 --> 00:01:49,440
my father.
24
00:01:49,440 --> 00:01:57,240
It was a 286 or 386 kind of a system like, you know, MS those 286, 386 and where I learned
25
00:01:57,240 --> 00:02:07,400
to do coding and my first I would say programming language is cobal and turbo Pascal, like, you
26
00:02:07,400 --> 00:02:16,480
know, and in those days, I had some like, you know, I was debugging the machine while doing
27
00:02:16,480 --> 00:02:22,040
programming, debugger, there was few debugger and then what we used to is like, you know, we
28
00:02:22,040 --> 00:02:31,480
used to debug the machine, I would say machine code, machine, what it is called, I think
29
00:02:31,480 --> 00:02:35,320
so the machine code itself, I think so.
30
00:02:35,320 --> 00:02:42,480
I'm not recollecting the exact name and very like, you know, you need to find the sequence
31
00:02:42,480 --> 00:02:48,040
of binary, the 0 and 1 and so forth and then like, you know, debug it accordingly.
32
00:02:48,040 --> 00:02:54,520
And from those days, like, you know, cyber security or even the, I would say the biggest
33
00:02:54,520 --> 00:03:03,360
subset of the IT security, I had kind of a initial, I would say, interest.
34
00:03:03,360 --> 00:03:10,120
And later on when I came to India, I went into, more into, I started my journey with more
35
00:03:10,120 --> 00:03:15,680
kind of a Microsoft technology with ESP.NET and digitalization, little topic.
36
00:03:15,680 --> 00:03:22,520
However, like, you know, since almost three to five years, I, like, you know, I deviated
37
00:03:22,520 --> 00:03:29,160
my role in my interest to IT security and so forth.
38
00:03:29,160 --> 00:03:31,160
Yeah, awesome.
39
00:03:31,160 --> 00:03:32,160
Yeah.
40
00:03:32,160 --> 00:03:38,760
And this is a really interesting journey and can you a little bit tell why you chose Microsoft
41
00:03:38,760 --> 00:03:41,200
security as primary focus?
42
00:03:41,200 --> 00:03:42,200
Yeah, sure.
43
00:03:42,200 --> 00:03:54,440
So, since the beginning, I'm oriented towards kind of a Microsoft technology, for example,
44
00:03:54,440 --> 00:04:03,720
I am holding an MCSC, like, you know, certification, which is, which comprise of seven papers at that
45
00:04:03,720 --> 00:04:05,200
time, that point of time.
46
00:04:05,200 --> 00:04:06,200
Oh.
47
00:04:06,200 --> 00:04:08,160
And very, like, you know, I think.
48
00:04:08,160 --> 00:04:14,760
So, I had also, like, you know, if you remember the, for father of the, the, the, the,
49
00:04:14,760 --> 00:04:20,760
the, the, the controller, which was Microsoft NT, I think so, the name, the full form, I'm
50
00:04:20,760 --> 00:04:28,560
not recollect, and it started with NT, Windows NT, which was a major release of Windows NT
51
00:04:28,560 --> 00:04:32,920
operating system developed by Microsoft again, those point of time.
52
00:04:32,920 --> 00:04:38,120
And that was in 1990, 60 family collecting.
53
00:04:38,120 --> 00:04:49,160
And since then, like, you know, since then I was in love with all, all technology related
54
00:04:49,160 --> 00:04:51,680
to Microsoft.
55
00:04:51,680 --> 00:04:58,200
As I said, like, you know, started with Windows NT, MS those 2636, 36, that point of time.
56
00:04:58,200 --> 00:05:04,240
And then when I came to India, like, you know, I, I, I, I did my MCSC paper.
57
00:05:04,240 --> 00:05:07,080
And then I got a job in semantic.
58
00:05:07,080 --> 00:05:08,640
And then, I got a job in semantic.
59
00:05:08,640 --> 00:05:11,640
And then, I got a job in semantic.
60
00:05:11,640 --> 00:05:13,640
And then, I got a job in semantic.
61
00:05:13,640 --> 00:05:14,640
And then, I got a job in semantic.
62
00:05:14,640 --> 00:05:15,640
And then, I got a job in semantic.
63
00:05:15,640 --> 00:05:16,640
And then, I got a job in semantic.
64
00:05:16,640 --> 00:05:17,640
And then, I got a job in semantic.
65
00:05:17,640 --> 00:05:18,640
And then, I got a job in semantic.
66
00:05:18,640 --> 00:05:19,640
And then, I got a job in semantic.
67
00:05:19,640 --> 00:05:20,640
And then, I got a job in semantic.
68
00:05:20,640 --> 00:05:21,640
And then, I got a job in semantic.
69
00:05:21,640 --> 00:05:22,640
And then, I got a job in semantic.
70
00:05:22,640 --> 00:05:24,640
And then, I got a job in semantic.
71
00:05:24,640 --> 00:05:25,640
And then, I got a job in semantic.
72
00:05:25,640 --> 00:05:26,640
And then, I got a job in semantic.
73
00:05:26,640 --> 00:05:27,640
And then, I got a job in semantic.
74
00:05:27,640 --> 00:05:28,640
And then, I got a job in semantic.
75
00:05:28,640 --> 00:05:29,640
And then, I got a job in semantic.
76
00:05:29,640 --> 00:05:38,000
I got an opportunity to move towards web technology.
77
00:05:38,000 --> 00:05:43,480
It was in, I think, so, a speed.net and later on SharePoint
78
00:05:43,480 --> 00:05:46,320
and later on, like, you know, Power Platform Technology.
79
00:05:46,320 --> 00:05:47,800
And then, back forth, like, you know,
80
00:05:47,800 --> 00:05:53,920
I moved towards, again, cyber security along the ID.
81
00:05:53,920 --> 00:05:54,920
Yeah.
82
00:05:54,920 --> 00:05:56,240
And--
83
00:05:56,240 --> 00:05:57,080
Yeah?
84
00:05:57,080 --> 00:05:57,960
Yeah, sorry.
85
00:05:57,960 --> 00:06:00,920
And then, nowadays, like, you know, the entire suite
86
00:06:00,920 --> 00:06:04,560
of Microsoft security starting from Microsoft Per View,
87
00:06:04,560 --> 00:06:08,200
Defender, Sentinel, and so forth.
88
00:06:08,200 --> 00:06:11,200
And of course, the Co-Pilot, all the Co-Pilot,
89
00:06:11,200 --> 00:06:13,960
like, you know, for security and the other Co-Pilot,
90
00:06:13,960 --> 00:06:16,120
like, you know, those are nowadays
91
00:06:16,120 --> 00:06:22,120
the playground of the main current playground currently.
92
00:06:22,120 --> 00:06:24,480
And yeah, you have work around--
93
00:06:24,480 --> 00:06:27,000
nearly the world, Europe, Africa, Asia,
94
00:06:27,000 --> 00:06:31,320
have this influence your security mindset.
95
00:06:31,320 --> 00:06:34,360
Sorry, could you-- can you come again, Mirko?
96
00:06:34,360 --> 00:06:35,040
Yeah, yeah.
97
00:06:35,040 --> 00:06:38,200
I think you are really working around the world,
98
00:06:38,200 --> 00:06:40,400
and Europe, Africa, Asia, influence,
99
00:06:40,400 --> 00:06:43,720
that your security mindset.
100
00:06:43,720 --> 00:06:44,200
Correct.
101
00:06:44,200 --> 00:06:49,400
I mean, like, you know, seeing the technology evolve,
102
00:06:49,400 --> 00:06:52,920
security is one of the most important kind of an aspect
103
00:06:52,920 --> 00:06:57,560
of securing data of an user, of an organization,
104
00:06:57,560 --> 00:07:00,640
of even our own self, like, you know?
105
00:07:00,640 --> 00:07:04,480
And while working with multiple technology,
106
00:07:04,480 --> 00:07:08,480
even within the Microsoft ecosystem, like, you know,
107
00:07:08,480 --> 00:07:14,000
it's really important that one is--
108
00:07:14,000 --> 00:07:17,080
must be able to secure, like, you know,
109
00:07:17,080 --> 00:07:22,880
the organizational data, or are, kind
110
00:07:22,880 --> 00:07:28,480
of an ecosystem and so forth.
111
00:07:28,480 --> 00:07:30,960
Yeah, really interesting.
112
00:07:30,960 --> 00:07:33,920
And that's a little bit look at the current security
113
00:07:33,920 --> 00:07:37,680
landscape if you had to describe the base threat landscape
114
00:07:37,680 --> 00:07:38,480
in one sentence.
115
00:07:38,480 --> 00:07:41,080
So what will it be?
116
00:07:41,080 --> 00:07:46,120
You mean from AI perspective, or from general perspective?
117
00:07:46,120 --> 00:07:49,800
From your perspective, how is actually--
118
00:07:49,800 --> 00:07:54,640
and yeah, I think AI has a big impact, actually.
119
00:07:54,640 --> 00:07:58,800
So currently, like, you know, from general perspective,
120
00:07:58,800 --> 00:08:02,680
is the outside threat security landscape
121
00:08:02,680 --> 00:08:07,640
is the complete picture of cybercrets, attackers, vulnerabilities,
122
00:08:07,640 --> 00:08:11,280
technology, and risk, like, you know, that an organization
123
00:08:11,280 --> 00:08:15,880
or an individual is facing at the given point of time,
124
00:08:15,880 --> 00:08:20,000
as the technology is constantly evolving,
125
00:08:20,000 --> 00:08:22,360
attackers are also getting smarter, like, you know,
126
00:08:22,360 --> 00:08:28,640
even with the current era of AI,
127
00:08:28,640 --> 00:08:31,200
attackers are becoming smarter and smarter,
128
00:08:31,200 --> 00:08:33,480
and they are also, like, you know, coming up
129
00:08:33,480 --> 00:08:35,360
and adopting new technique.
130
00:08:35,360 --> 00:08:39,200
So accordingly, organization also
131
00:08:39,200 --> 00:08:45,480
needs to introduce new technologies, such as, like, you know,
132
00:08:45,480 --> 00:08:50,000
cloud computing, AI and IoT, and kind of those--
133
00:08:50,000 --> 00:08:54,920
yeah, so threat actors could be, like, you know,
134
00:08:54,920 --> 00:08:57,920
cybercriminals, criminals, hacktivists,
135
00:08:57,920 --> 00:09:00,880
insider threats, or even our competitors.
136
00:09:00,880 --> 00:09:04,520
And we really need to be alert on, like, you know,
137
00:09:04,520 --> 00:09:12,120
how the attackers are misusing or getting into our systems,
138
00:09:12,120 --> 00:09:13,680
like, you know, Google.
139
00:09:13,680 --> 00:09:15,240
Yeah.
140
00:09:15,240 --> 00:09:16,080
Interesting.
141
00:09:16,080 --> 00:09:20,720
And, yeah, I think-- what did you think?
142
00:09:20,720 --> 00:09:26,920
I see a lot of companies buying more security products,
143
00:09:26,920 --> 00:09:31,280
but do they actually become more secure,
144
00:09:31,280 --> 00:09:36,040
or is it more, I don't know, yeah,
145
00:09:36,040 --> 00:09:39,600
and something, what couple is a thing, wrong,
146
00:09:39,600 --> 00:09:43,760
they buying tools, and they do it for them.
147
00:09:43,760 --> 00:09:48,360
But I would say it's about adoption,
148
00:09:48,360 --> 00:09:50,080
and how, like, you know, the--
149
00:09:50,080 --> 00:09:54,480
how they are--
150
00:09:54,480 --> 00:09:59,480
Hello?
151
00:09:59,480 --> 00:10:01,960
You are-- yeah, yeah, I thought it is--
152
00:10:01,960 --> 00:10:07,400
You know, that's a very common challenge, Mir Kunawad,
153
00:10:07,400 --> 00:10:10,800
is many organizations are buying security faster
154
00:10:10,800 --> 00:10:13,720
than they are really adopting them.
155
00:10:13,720 --> 00:10:17,920
For example, they would have a heavy budget on, like, you know,
156
00:10:17,920 --> 00:10:22,160
buying or a software related to cybersecurity.
157
00:10:22,160 --> 00:10:27,880
But many people struggle with adoption and integration,
158
00:10:27,880 --> 00:10:33,120
and even operationalization means, like, you know,
159
00:10:33,120 --> 00:10:39,200
that maybe because of maybe some internal training
160
00:10:39,200 --> 00:10:42,120
or maybe the management is not pushing enough,
161
00:10:42,120 --> 00:10:48,080
then the security capabilities often remain underutilized,
162
00:10:48,080 --> 00:10:53,680
leaving gaps and then towards these significant investment.
163
00:10:53,680 --> 00:10:57,880
For example, organizations may have, like, you know,
164
00:10:57,880 --> 00:11:01,080
50 or 100 security products from different vendors.
165
00:11:01,080 --> 00:11:04,040
Everyone, each one of them may have, like, you know,
166
00:11:04,040 --> 00:11:07,240
each own console, policy, then workflows,
167
00:11:07,240 --> 00:11:09,360
and of course, on top of it, like, you know,
168
00:11:09,360 --> 00:11:12,920
there is-- sorry, on the other side, there could be a poor integration,
169
00:11:12,920 --> 00:11:16,440
very in product, don't share context or telemetry,
170
00:11:16,440 --> 00:11:20,720
resulting in, like, you know, very fragmented visibility.
171
00:11:20,720 --> 00:11:25,880
And that becomes very difficult to manage and maintain in a long time.
172
00:11:25,880 --> 00:11:28,440
And of course, on top of it, like, you know,
173
00:11:28,440 --> 00:11:30,360
it's also a lack of governance,
174
00:11:30,360 --> 00:11:35,680
very-- it has to be pushed from the top management,
175
00:11:35,680 --> 00:11:40,400
and that results on, like, you know, just focusing--
176
00:11:40,400 --> 00:11:43,800
their organization is focusing on purchasing technology,
177
00:11:43,800 --> 00:11:47,680
rather than defining process or ownership or metrics.
178
00:11:47,680 --> 00:11:51,480
And one more aspect which I have seen, like, you know,
179
00:11:51,480 --> 00:11:54,760
there could be also user resistance.
180
00:11:54,760 --> 00:11:57,960
Yeah, very in, like, you know, employees may bypass control
181
00:11:57,960 --> 00:12:00,000
if they perceive them as, you know,
182
00:12:00,000 --> 00:12:06,000
slowing down productivity, contributing to Shaduaiti or Shaduai.
183
00:12:06,000 --> 00:12:07,000
Cool.
184
00:12:07,000 --> 00:12:08,000
Yeah.
185
00:12:08,000 --> 00:12:09,000
Yeah.
186
00:12:09,000 --> 00:12:13,560
I think what we heard a lot is, especially in cybersecurity,
187
00:12:13,560 --> 00:12:16,400
it's insider threats.
188
00:12:16,400 --> 00:12:21,480
So what are more important, actually, insider threats
189
00:12:21,480 --> 00:12:29,440
by company users, use AI, or is it the checkout they use AI?
190
00:12:29,440 --> 00:12:33,440
You mean either--
191
00:12:33,440 --> 00:12:37,440
whether it is-- which one is the more important--
192
00:12:37,440 --> 00:12:39,200
threats coming from inside--
193
00:12:39,200 --> 00:12:43,120
inside the AI usage or in the tech area, right?
194
00:12:43,120 --> 00:12:44,120
Yeah.
195
00:12:44,120 --> 00:12:45,120
Yeah.
196
00:12:45,120 --> 00:12:47,760
I would say from experience perspective,
197
00:12:47,760 --> 00:12:50,600
I would say both are important.
198
00:12:50,600 --> 00:12:55,160
But bigger-- one of the bigger risk most--
199
00:12:55,160 --> 00:12:58,280
for most organizations is inside the AI usage.
200
00:12:58,280 --> 00:13:02,360
In case if they lack governance and so forth,
201
00:13:02,360 --> 00:13:05,560
for example, it can happen every day.
202
00:13:05,560 --> 00:13:08,720
Sometimes unintentionally, employees like, you know,
203
00:13:08,720 --> 00:13:12,920
may paste confidential data into public AI tool just like, you know,
204
00:13:12,920 --> 00:13:16,280
maybe some confusion-- confidential data
205
00:13:16,280 --> 00:13:20,840
into a chat GPT, like, you know, and then that could be kind
206
00:13:20,840 --> 00:13:23,600
of a very high risk for the organization.
207
00:13:23,600 --> 00:13:26,920
Or maybe kind of another example would be identity
208
00:13:26,920 --> 00:13:29,360
compromised, very like, you know,
209
00:13:29,360 --> 00:13:35,680
adnet hacker, clock says AI, cloud resource, or sensitive data.
210
00:13:35,680 --> 00:13:43,240
And yeah, so that's my perspective from an attacker--
211
00:13:43,240 --> 00:13:50,240
AI attacker, like, you know, with the introduction of an AI,
212
00:13:50,240 --> 00:13:55,600
nobody is doing any grammatical mistake.
213
00:13:55,600 --> 00:13:58,480
That's the duty of AI nowadays, you know?
214
00:13:58,480 --> 00:14:01,280
Every mail is a trick now.
215
00:14:01,280 --> 00:14:03,840
If you remember earlier, like, you know,
216
00:14:03,840 --> 00:14:07,960
many attackers are doing kind of people
217
00:14:07,960 --> 00:14:11,200
were trying to find, you know, whether there is a kind
218
00:14:11,200 --> 00:14:14,560
of grammatical mistake we are in, we can, you know,
219
00:14:14,560 --> 00:14:19,760
figure out whether this is a kind of, I would say,
220
00:14:19,760 --> 00:14:21,640
fishing email and so forth.
221
00:14:21,640 --> 00:14:24,800
However, nowadays, like, you know, the AI generated
222
00:14:24,800 --> 00:14:29,800
fishing mail are drafted with excellent grammar.
223
00:14:29,800 --> 00:14:33,600
And they do, like, you know, personalize fishing
224
00:14:33,600 --> 00:14:34,880
using public information.
225
00:14:34,880 --> 00:14:37,680
They may, like, you know, go to your LinkedIn account,
226
00:14:37,680 --> 00:14:40,680
they may do a research, like, you know,
227
00:14:40,680 --> 00:14:45,120
from the organization perspective, like, you know,
228
00:14:45,120 --> 00:14:49,560
all are working in for those companies.
229
00:14:49,560 --> 00:14:51,520
Just one real example, like, you know,
230
00:14:51,520 --> 00:14:53,520
which happened a few years ago in the US,
231
00:14:53,520 --> 00:14:56,080
you know, very, like, you know, an attacker
232
00:14:56,080 --> 00:15:00,960
were trying to penetrate one organization kind of
233
00:15:00,960 --> 00:15:03,800
a network, like, you know, but they were not successful
234
00:15:03,800 --> 00:15:06,560
because those organization had, like, you know,
235
00:15:06,560 --> 00:15:09,000
hard-willing their system really well.
236
00:15:09,000 --> 00:15:12,160
And it could not hack their system.
237
00:15:12,160 --> 00:15:13,640
So what did they do?
238
00:15:13,640 --> 00:15:15,960
They started with social engineering.
239
00:15:15,960 --> 00:15:19,920
So as I said, like, you know, they started, like, you know,
240
00:15:19,920 --> 00:15:24,760
checking the employee profile, they started doing an analysis
241
00:15:24,760 --> 00:15:27,640
on their employee's behaviors.
242
00:15:27,640 --> 00:15:30,000
And they found out that, like, you know,
243
00:15:30,000 --> 00:15:35,160
those many of their employees were, like, in Chinese restaurants,
244
00:15:35,160 --> 00:15:39,800
which was, like, you know, near to their office, okay?
245
00:15:39,800 --> 00:15:43,040
So what they do is, like, you know,
246
00:15:43,040 --> 00:15:47,080
and they found out, like, like, those employers were checking
247
00:15:47,080 --> 00:15:49,480
their menu very often because, again, like, you know,
248
00:15:49,480 --> 00:15:53,560
they were ordering those food from the Chinese restaurant.
249
00:15:53,560 --> 00:15:55,720
And what did they do is, like, you know,
250
00:15:55,720 --> 00:16:00,200
they embedded malicious kind of a code within the PDF
251
00:16:00,200 --> 00:16:02,360
of the Chinese menu.
252
00:16:02,360 --> 00:16:06,760
And that's how it could enter their organizational system,
253
00:16:06,760 --> 00:16:08,400
like, you know, the organization system.
254
00:16:08,400 --> 00:16:09,400
- Okay.
255
00:16:09,400 --> 00:16:10,240
- Yeah, yeah.
256
00:16:10,240 --> 00:16:15,240
So the attackers are, like, you know, playing really smart.
257
00:16:15,240 --> 00:16:19,280
And that's how, like, you know, one needs to be really,
258
00:16:19,280 --> 00:16:20,800
even extremely careful.
259
00:16:20,800 --> 00:16:23,440
- Yeah.
260
00:16:23,440 --> 00:16:25,640
Yeah, I think on the lot of funny,
261
00:16:25,640 --> 00:16:27,840
this is a really funny story with the Chinese restaurant.
262
00:16:27,840 --> 00:16:31,200
I think on these other guy, they had put,
263
00:16:31,200 --> 00:16:38,360
I think, with basics with, I think Bitcoin,
264
00:16:38,360 --> 00:16:40,360
the thing on it.
265
00:16:40,360 --> 00:16:42,840
And also, get, get hacked a company.
266
00:16:42,840 --> 00:16:45,080
- Yeah.
267
00:16:45,920 --> 00:16:46,760
- Yeah.
268
00:16:46,760 --> 00:16:51,280
Yeah.
269
00:16:51,280 --> 00:16:56,280
Now we have, I think, and you really are, yeah,
270
00:16:56,280 --> 00:16:59,320
new product, Microsoft Security Co-Pilot.
271
00:16:59,320 --> 00:17:02,360
So now I can say, hello,
272
00:17:02,360 --> 00:17:04,480
Co-Pilot, please make my environment secure,
273
00:17:04,480 --> 00:17:06,320
or how it would work.
274
00:17:06,320 --> 00:17:07,760
(laughs)
275
00:17:07,760 --> 00:17:12,760
- I think so, Mirko, Microsoft Security Co-Pilot is not enough.
276
00:17:15,000 --> 00:17:16,560
It's the answer is a big no.
277
00:17:16,560 --> 00:17:22,080
Microsoft Security Co-Pilot is a powerful tool.
278
00:17:22,080 --> 00:17:24,040
However, it remains a security assistant,
279
00:17:24,040 --> 00:17:27,880
but it's not a complete, I would say, a security solution.
280
00:17:27,880 --> 00:17:31,000
It helps you to augment your security team.
281
00:17:31,000 --> 00:17:32,760
However, it does not, like, you know,
282
00:17:32,760 --> 00:17:35,840
replace the security architecture at the end of the day.
283
00:17:35,840 --> 00:17:38,560
So, and then mainly,
284
00:17:38,560 --> 00:17:41,480
security co-pilot is used by your SOC team,
285
00:17:41,480 --> 00:17:43,920
means security operations center.
286
00:17:43,920 --> 00:17:46,880
They, it helps, like, no, directly,
287
00:17:46,880 --> 00:17:50,560
the SOC team to detect and investigate and respond faster.
288
00:17:50,560 --> 00:17:54,880
However, we cannot always, it will be wrong to say that,
289
00:17:54,880 --> 00:17:58,280
like, no, security co-pilot will replace the entire,
290
00:17:58,280 --> 00:18:00,400
I would say, security architecture.
291
00:18:00,400 --> 00:18:01,640
- Oh, yeah.
292
00:18:01,640 --> 00:18:02,800
- Okay.
293
00:18:02,800 --> 00:18:05,720
And for most people, I think there are,
294
00:18:05,720 --> 00:18:07,640
for listeners here on my podcast,
295
00:18:07,640 --> 00:18:10,640
I come from the Microsoft 365 co-pilot.
296
00:18:10,640 --> 00:18:13,640
How is the difference to the Microsoft Security
297
00:18:13,640 --> 00:18:17,480
port co-pilot when people start us?
298
00:18:17,480 --> 00:18:21,240
- Sorry, I didn't get, can you repeat Mirko, please?
299
00:18:21,240 --> 00:18:22,880
- Yeah, yeah, no problem.
300
00:18:22,880 --> 00:18:25,200
I think especially my listeners,
301
00:18:25,200 --> 00:18:28,720
the most one have used Microsoft 365 co-pilot.
302
00:18:28,720 --> 00:18:32,720
And it's, yeah, you can prompt and do wonderful things.
303
00:18:32,720 --> 00:18:35,680
How different is the Microsoft Security co-pilot
304
00:18:35,680 --> 00:18:38,920
from the Microsoft 365 co-pilot?
305
00:18:38,920 --> 00:18:40,360
- Okay, okay, yeah.
306
00:18:40,360 --> 00:18:45,360
So, for example, when it comes to primary user,
307
00:18:45,360 --> 00:18:50,080
Microsoft Security co-pilot is mainly used
308
00:18:50,080 --> 00:18:53,800
by security analyst, SOC and IDIT security team.
309
00:18:53,800 --> 00:18:55,440
On the other hand, like, you know,
310
00:18:55,440 --> 00:18:59,120
this Microsoft 365 co-pilot is used,
311
00:18:59,120 --> 00:19:01,360
it can be used by all employees.
312
00:19:01,360 --> 00:19:03,640
It could be by from the HR department,
313
00:19:03,640 --> 00:19:06,600
finance team, marketing, executive, and so forth.
314
00:19:08,360 --> 00:19:11,960
The goal from related to Microsoft Security co-pilot
315
00:19:11,960 --> 00:19:14,160
is to protect the organization.
316
00:19:14,160 --> 00:19:16,200
On the other hand, they, like, you know,
317
00:19:16,200 --> 00:19:19,440
for Microsoft 365 co-pilot is, like, you know,
318
00:19:19,440 --> 00:19:22,120
the goal is to improve productivity.
319
00:19:22,120 --> 00:19:27,240
And now from the data source perspective, like, you know,
320
00:19:27,240 --> 00:19:30,040
Microsoft Security co-pilot gets the data
321
00:19:30,040 --> 00:19:34,520
from Defender, Sentinel, Entra, Intune, Trit Intelligence.
322
00:19:34,520 --> 00:19:36,480
All these are, like, you know, security,
323
00:19:36,480 --> 00:19:39,080
Microsoft Security related product or tool.
324
00:19:39,080 --> 00:19:42,280
Okay, on the other hand, like, you know,
325
00:19:42,280 --> 00:19:44,760
it underlies, under Microsoft Graph,
326
00:19:44,760 --> 00:19:47,320
very, like, you know, it gets data from Outlook teams,
327
00:19:47,320 --> 00:19:50,200
Word, all the, again, like, you know,
328
00:19:50,200 --> 00:19:54,840
Office related tools from Microsoft.
329
00:19:54,840 --> 00:19:59,600
And, but you are right, the naming convention is,
330
00:19:59,600 --> 00:20:02,160
the naming is really confusing.
331
00:20:02,160 --> 00:20:05,800
And nowadays, there are so many co-pilot outside here
332
00:20:05,800 --> 00:20:07,720
that we let me get confused.
333
00:20:07,720 --> 00:20:11,960
I believe there are, I think so even for within Microsoft,
334
00:20:11,960 --> 00:20:16,960
ecosystem itself, there will be 50 minimum co-pilot, I would say.
335
00:20:16,960 --> 00:20:21,440
- Yeah, I think it is the lot GitHub and so on, yeah.
336
00:20:21,440 --> 00:20:22,960
- Yeah, yeah, yeah.
337
00:20:22,960 --> 00:20:25,960
- Co-pilot for sales, oh, dynamics and so forth, like.
338
00:20:25,960 --> 00:20:30,960
- Yeah, but which real, yeah, problems do is that
339
00:20:30,960 --> 00:20:35,200
the Microsoft Security co-pilot solves today.
340
00:20:35,920 --> 00:20:36,920
- And where are we?
341
00:20:36,920 --> 00:20:38,440
- On the map.
342
00:20:38,440 --> 00:20:43,440
Yeah, I would say, of course, it, let me just think,
343
00:20:43,440 --> 00:20:52,920
yeah, yeah.
344
00:20:52,920 --> 00:20:59,000
It helps primarily security analysts, like, you know,
345
00:20:59,000 --> 00:21:00,200
the SOC team and all.
346
00:21:03,040 --> 00:21:05,600
One of the interesting part is, you know,
347
00:21:05,600 --> 00:21:11,640
when we deal with Sentinel and we get, you know,
348
00:21:11,640 --> 00:21:18,280
SOC team gets too many alerts and they're at least too fatig,
349
00:21:18,280 --> 00:21:21,440
like, you know, human fatig because at some point of time,
350
00:21:21,440 --> 00:21:24,240
human can work up to,
351
00:21:24,240 --> 00:21:31,040
so it helps, you know,
352
00:21:32,840 --> 00:21:37,160
and of course, analysts cannot investigate everything manually.
353
00:21:37,160 --> 00:21:39,640
So security, the pilots primarily, I would say,
354
00:21:39,640 --> 00:21:42,360
helps by prioritizing a lot,
355
00:21:42,360 --> 00:21:46,680
co-doing and, like, you know, analysis by co-relating,
356
00:21:46,680 --> 00:21:49,760
related events and explain, like, you know,
357
00:21:49,760 --> 00:21:53,440
provide an explanation why an alert matters.
358
00:21:53,440 --> 00:21:54,440
- Okay.
359
00:21:54,440 --> 00:21:58,160
- For example, if you would have not co-pilot security,
360
00:21:58,160 --> 00:22:00,760
then without AI, maybe, like, you know,
361
00:22:00,760 --> 00:22:04,200
we may have, like, you know, multiple console search log,
362
00:22:04,200 --> 00:22:06,200
check IP repetition, of course.
363
00:22:06,200 --> 00:22:09,600
And then it may take, like, longer and longer time
364
00:22:09,600 --> 00:22:14,600
to really identify a true positive kind of an alert
365
00:22:14,600 --> 00:22:17,000
or incident.
366
00:22:17,000 --> 00:22:19,600
So from those perspectives, like, you know,
367
00:22:19,600 --> 00:22:25,960
co-pilot is quite, quite faster, Microsoft security co-pilot.
368
00:22:25,960 --> 00:22:29,160
On the other hand, I would say second point,
369
00:22:30,600 --> 00:22:33,720
it helps, as you know,
370
00:22:33,720 --> 00:22:37,920
cyber security has a shortage worldwide.
371
00:22:37,920 --> 00:22:42,280
Now, it is finding a really good security engineer
372
00:22:42,280 --> 00:22:45,000
is not easy anywhere.
373
00:22:45,000 --> 00:22:48,960
So, for example, maybe, kind of a junior analyst may,
374
00:22:48,960 --> 00:22:52,720
like, you know, struggle, but malware analysis, threat hunting,
375
00:22:52,720 --> 00:22:57,720
kick-wheel, kind of, like, you know, scripting and all.
376
00:22:57,840 --> 00:23:04,840
So from that perspective, co-pilot can act like an experienced assistant,
377
00:23:04,840 --> 00:23:08,000
which would help that, like, you know, investigate,
378
00:23:08,000 --> 00:23:11,200
investigate that incident more effectively.
379
00:23:11,200 --> 00:23:16,600
And in an organization, typically, like,
380
00:23:16,600 --> 00:23:20,080
there are so many tools, there could be some kind of email security tool,
381
00:23:20,080 --> 00:23:25,840
identity, seam, threat intelligence, endpoint, and gathering all these data
382
00:23:25,840 --> 00:23:32,080
into a centralized kind of a system is one of the most
383
00:23:32,080 --> 00:23:35,760
the beauty of co-pilot security, which, like, you know,
384
00:23:35,760 --> 00:23:38,560
bring the context together.
385
00:23:38,560 --> 00:23:42,320
Because if a human will start, like, you know,
386
00:23:42,320 --> 00:23:47,280
and doing an analysis from different log from different system,
387
00:23:47,280 --> 00:23:50,960
you can imagine, I think so, we all had done that in the past,
388
00:23:50,960 --> 00:23:53,720
like, you know, and you, as you remember, like, you know,
389
00:23:53,720 --> 00:24:00,720
we spent hours and hours when the root cause is not yet found.
390
00:24:00,720 --> 00:24:04,720
However, from co-pilot, like, you know, it brings context together,
391
00:24:04,720 --> 00:24:09,720
especially in the Microsoft security ecosystem.
392
00:24:09,720 --> 00:24:11,720
Yeah.
393
00:24:11,720 --> 00:24:13,720
Yeah, yeah, custom.
394
00:24:13,720 --> 00:24:17,720
Yeah, I think a little bit,
395
00:24:17,720 --> 00:24:23,720
but, you say, we can pray, pray, rise.
396
00:24:23,720 --> 00:24:24,720
Right, yeah.
397
00:24:24,720 --> 00:24:29,720
So, how much faster can incident response become with Microsoft co-pilot
398
00:24:29,720 --> 00:24:35,720
from your perspective, or whatever you've seen?
399
00:24:35,720 --> 00:24:42,720
You mean, like, you know, the most faster incident we can resolve?
400
00:24:42,720 --> 00:24:43,720
Yeah, yeah.
401
00:24:43,720 --> 00:24:44,720
Yeah, yeah.
402
00:24:44,720 --> 00:24:50,720
So, I would say, let's take an example.
403
00:24:50,720 --> 00:24:56,720
Maybe we get an alert one from a new suspicion, suspicious log in.
404
00:24:56,720 --> 00:24:57,720
Maybe an alert two, like, you know,
405
00:24:57,720 --> 00:25:02,720
a PowerShell execution alert three from a malware detected, and so forth.
406
00:25:02,720 --> 00:25:10,720
From security co-pilot, how faster would be, like, you know, understanding an alert?
407
00:25:10,720 --> 00:25:15,720
It will be, I would say, less than five minutes as compared to a traditional stock
408
00:25:15,720 --> 00:25:24,720
which takes, like, you know, 10 to 20 minutes to do an analysis from a human perspective.
409
00:25:24,720 --> 00:25:26,720
That was maybe understanding an alert.
410
00:25:26,720 --> 00:25:30,720
Maybe, let's say, right and incident summary.
411
00:25:30,720 --> 00:25:35,720
And what is the AI it takes, let's then two, three minutes, like, you know,
412
00:25:35,720 --> 00:25:41,720
and earlier, like, you know, when we keep writing and say, we have, when we write an incident summary,
413
00:25:41,720 --> 00:25:48,720
at least it takes for a human to at least 15 to 30 minutes, like, you know, to write that properly.
414
00:25:48,720 --> 00:25:57,720
And, for example, a general SQL queries, similar to, like, you know, writing as any kind of queries,
415
00:25:57,720 --> 00:26:10,720
it takes few seconds. And when we write my SQL queries manually, it may take maybe more minutes and even longer
416
00:26:10,720 --> 00:26:14,720
because we really need to remember the syntax, we need to remember, like, you know,
417
00:26:14,720 --> 00:26:19,720
from where to get the word and in which system.
418
00:26:19,720 --> 00:26:21,720
So those perspectives.
419
00:26:21,720 --> 00:26:32,720
And, of course, from the executive perspective, like, you know, executive, executive people would need a report kind of on those incident on a daily basis.
420
00:26:32,720 --> 00:26:39,720
Then again, it saves us lots of time from, like, you know, hours to minute, hours.
421
00:26:39,720 --> 00:26:42,720
Yeah, awesome.
422
00:26:42,720 --> 00:26:47,720
And there are also, I'm saying, misconceptions.
423
00:26:47,720 --> 00:26:52,720
Do companies have about the security copilot?
424
00:26:52,720 --> 00:26:56,720
Yeah, yeah, for sure.
425
00:26:56,720 --> 00:27:03,720
I mean, like, you know, many people, and of course, the copilot is not coming cheap.
426
00:27:03,720 --> 00:27:11,720
And many have those, misconception very, like, you know, if I buy security copilot, then I am safe.
427
00:27:11,720 --> 00:27:21,720
Like, you know, it will protect entirely my company, which is not true. Again, once more, like, you know, it does not replace your security architecture or control.
428
00:27:21,720 --> 00:27:28,720
It just helps the analyst to investigate and respond faster. That's the primary goal target, you know.
429
00:27:28,720 --> 00:27:35,720
And, uh, Ana, I had like, you know, another customer, which very like, you know, I had a discussion.
430
00:27:35,720 --> 00:27:42,720
They were asking whether, like, you know, they can consider security copilot as an entire antivirus.
431
00:27:42,720 --> 00:27:45,720
So it's not an antivirus.
432
00:27:45,720 --> 00:27:50,720
It just sits on top of the security copilot system.
433
00:27:50,720 --> 00:27:59,720
And sorry, on the, on the top of your on the security ecosystem and the primary,
434
00:27:59,720 --> 00:28:08,720
yeah, aim or objective of security copilot is to analyze security data and help analysts to investigate and respond faster.
435
00:28:08,720 --> 00:28:09,720
Yeah.
436
00:28:09,720 --> 00:28:13,720
Uh, another misconception, which is an interesting one, which I just recollect.
437
00:28:13,720 --> 00:28:17,720
It automatically blocks hackers.
438
00:28:17,720 --> 00:28:21,720
So that is also for sure it's a big no.
439
00:28:21,720 --> 00:28:38,720
And blocking usually is performed by two like, from Microsoft, like, ecosystem, two, like, defender, and firewall and security policies and so forth, but not by security copilot itself, like, you know.
440
00:28:38,720 --> 00:28:44,720
And is it primarily for large enterprises or is also realistic for SMEs?
441
00:28:44,720 --> 00:28:53,720
From price perspective, I would say a large enterprise will be able to afford it.
442
00:28:53,720 --> 00:29:03,720
And small business, like, you know, let's say if the size is 10 to 100 users, which is, I don't think so.
443
00:29:03,720 --> 00:29:22,720
It is fit for them, because again, like, you know, you may need mature kind of a sock team really to understand the complexity, which me out, like, you know, which me, give you the benefit and longer run.
444
00:29:22,720 --> 00:29:46,720
And, uh, I would sell so for midsize company. It really depends, like, you know, whether these midsize company has dedicated it security team and whether they are also using the other kind of product such as defender X,
445
00:29:46,720 --> 00:29:56,720
which could like, you know, help them, uh, which, uh, very like, you know, security copilot is going to help them to investigate further.
446
00:29:56,720 --> 00:30:05,720
And of course, cost perspective, because, uh, as I said, the license is not cheap.
447
00:30:05,720 --> 00:30:12,720
So, uh, I would say large enterprise organization will be able to afford those type of license.
448
00:30:12,720 --> 00:30:35,720
Yeah. Yeah. It's a price, uh, price take behind this. Okay. And so, um, there that's also, I think, um, the new buzz word. It's called a eye governance that sounds a little bit abstract. What, what, what does it actually mean?
449
00:30:35,720 --> 00:30:50,720
Okay. Uh, nowadays, uh, AI, uh, like, you know, is people are creating new capabilities are innovating with, with AI.
450
00:30:50,720 --> 00:30:55,720
So that means AI creates capability.
451
00:30:55,720 --> 00:31:12,720
Uh, new capabilities within an organization be it within their product or services. Uh, however, like, you know, there has to be a mechanism which needs, uh, which, which must guide these capabilities. And that is called governance.
452
00:31:12,720 --> 00:31:21,720
Okay. And, uh, of course, uh, on the other hand, like, you know, security must protect those capabilities.
453
00:31:21,720 --> 00:31:49,720
So what is a governance is the kind of like, you know, it's a kind of a collection or a framework of policies, processes, uh, controls, uh, which answer that the AI, which is developed or deployed is used safely responsibly, responsibly, securely, and of course, yeah, in compliance with regulation.
454
00:31:49,720 --> 00:32:05,720
So, for example, from European perspective, you must know, uh, there are so many compliance like, you know, we have got EU AI act, we have got niche tool, we have got cyber, residential act, we have got, uh, door of, we have got GDPR.
455
00:32:05,720 --> 00:32:25,720
And, uh, company have, uh, there is a host, a sole responsibility to comply to comply within all these, like, you know, compliance. Otherwise, uh, you're like, you know, it is, uh, you will be not under the compliance, uh, simply said.
456
00:32:25,720 --> 00:32:37,720
Yeah. And, uh, well, how should organizations, organizations establish governance before they deploy AI?
457
00:32:37,720 --> 00:33:05,720
Yeah, I think so, uh, within again, Microsoft, uh, ecosystem, we have got to like, Microsoft purview, we have got to like, uh, like, uh, for developer perspective, as you, as you foundry, uh, like, you know, which can be used for these type of governance.
458
00:33:05,720 --> 00:33:17,720
Or from, uh, AI, uh, from AI governance, the strictly said, uh, one primary tool, I would, which I would recommend like, you know, from Microsoft ecosystem is Microsoft purview.
459
00:33:17,720 --> 00:33:27,720
So, it can discover and go on inventory of AI application and agent within the ecosystem or within the tenant, sorry, within the tenant of the organization.
460
00:33:27,720 --> 00:33:35,720
For a couple, uh, the another, uh, beauty of purview is classified and protects sensitive data used by AI.
461
00:33:35,720 --> 00:33:43,720
Uh, of course, manage compliance within, uh, uh, with regulations such as again, you AI act.
462
00:33:43,720 --> 00:33:53,720
Uh, now, uh, nowadays also Microsoft has provided the Microsoft responsible AI dashboard. Uh, it's really useful.
463
00:33:53,720 --> 00:34:11,720
Very like, you know, it helps you evaluate biases such as fairness, provide, for example, uh, explainability error analysis robustness and also like, you know, uh, of course, also provide good reporting.
464
00:34:11,720 --> 00:34:17,720
Uh, another one, yeah, which I'm using also personally heavily. It's Azure Air Foundry.
465
00:34:17,720 --> 00:34:33,720
For example, uh, how to, uh, provide a content safety, model evaluation, model catalog governance, safety filters and, uh, uh, give you an observability.
466
00:34:33,720 --> 00:34:39,720
That is really important because you really need to have a mechanism of observability.
467
00:34:39,720 --> 00:34:55,720
Uh, lastly, like, you know, those classical tool defender for cloud in dry and all, uh, which helps you, uh, like, you know, manage identity, uh, at, uh, intra level.
468
00:34:55,720 --> 00:35:07,720
Okay. Um, then, uh, I think a little bit about, um, policies. What tips can you give here? Uh, which, uh, policy showed every company defined?
469
00:35:07,720 --> 00:35:33,720
For AI, specifically. Yeah. Yeah. Yeah. Uh, uh, uh, uh, let me just think, uh, maybe like, you know, uh, policy such as like, you know, maybe, uh, which AI services.
470
00:35:33,720 --> 00:35:48,720
Uh, an employee within an organization is allowed to use. For example, uh, let's say, uh, user can officially use Microsoft 365 co palette.
471
00:35:48,720 --> 00:36:02,720
And those are like, you know, the one approved by the company. Or maybe it would be Claude, I mean, Claude from entropic or chat, GPD from kind of like, you know, the, uh, paid version.
472
00:36:02,720 --> 00:36:09,720
The important points to be noted is like, you know, it has to be company approved.
473
00:36:09,720 --> 00:36:31,720
Um, another one is, uh, data classification policy. Uh, you know, from the zero perspective, uh, uh, like, you know, verify always explicitly apply, uh, least privilege access and, uh, always assume breach, like, you know, so from the data classification policy, like, you know,
474
00:36:31,720 --> 00:36:43,720
uh, uh, uh, uh, the, uh, public and internal data, which are approved only, like, you know, should be accessible by the user.
475
00:36:43,720 --> 00:37:00,720
And of course, uh, Confedient, Confedential data has to be really controlled customer data only approved like, you know, uh, data only approved data should be, uh, be, uh, handled by the user and so forth.
476
00:37:00,720 --> 00:37:20,720
Uh, uh, another one, let me, uh, of course responsible prompting policy. For example, like, you know, employees should, I mean, uh, we really need to educate employees within an organization and that, like, you know, on a frequent basis, that, um,
477
00:37:20,720 --> 00:37:43,720
uh, employees should avoid entering, uh, uh, PII related data password data, API skis customer list, Confedential contract, employee record intellectual properties, uh, and so forth, like, you know, and, uh, implement, uh, EI security policy, those are really important.
478
00:37:43,720 --> 00:37:58,720
So, uh, I've followed up the, uh, protect system, uh, from prompt injection from data leakage and authorized plugins so that, uh, from that perspective, governance has to be really strong.
479
00:37:58,720 --> 00:38:10,720
Yeah, and lastly, uh, I've seen in many organizations, like, you know, in a large organization, uh, people keep, uh, using their, uh, favorite tool.
480
00:38:10,720 --> 00:38:25,720
So that, that is called like, you know, shadow, IT or shadow, AI, wherein people like, you know, keep installing or, uh, connecting AI, uh, with, uh, non-approved, non-authorized kind of a tool.
481
00:38:25,720 --> 00:38:52,720
Let's say chat, GPD is not all open chat, uh, chat, DPD from openly, uh, is not allowed officially, but still they are using like, you know, because maybe the model is giving them kind of a more faster kind of, uh, response or more kind of accurate kind of, so, however, like, you know, one from the governance perspective, really need to monitor those otherwise, there could be, there will be, there is going to be a real risk of for data leakage and so.
482
00:38:52,720 --> 00:39:06,720
Yeah, and, um, also one topic is a Microsoft, often tell about zero trust has AI zero trust, Philo, the big change, uh, through AI.
483
00:39:06,720 --> 00:39:15,720
Uh, you mean to say, uh, whether we can, uh, uh, implement zero trust with AI?
484
00:39:15,720 --> 00:39:16,720
Yeah.
485
00:39:16,720 --> 00:39:35,720
Uh, yeah, yeah, so, uh, uh, uh, uh, uh, like, you know, from the, uh, attacks, uh, attack surface perspective, like, you know, if you look like 20 years ago, like, you know, attackers were targeting network.
486
00:39:35,720 --> 00:39:48,720
Uh, and then, uh, then or even now they are targeting identity still now, like, you know, it is still, uh, continuous kind of, uh, they are targeting identity on a continuous basis.
487
00:39:48,720 --> 00:39:54,720
And now with the age of, uh, AI, like, you know, the target, uh, AI.
488
00:39:54,720 --> 00:40:10,720
So, uh, uh, uh, as per the zero trust concept, like, you know, always, uh, verify explicitly, because, and then of course assign, uh, uh, identity to in each AI agent.
489
00:40:10,720 --> 00:40:23,720
So, we can like, you know, uh, uh, uh, verify explicitly about, uh, uh, whether, like, you know, what type of, uh, data or what type of resources they are accessing.
490
00:40:23,720 --> 00:40:52,720
And, uh, least privilege because, uh, at the end of the day, AI is going to use your underlying data. That means, like, you know, based on the user, uh, credential, which is, uh, which, uh, the co pilot is logged in with, uh, in case if the user has not got the right permission, then you may come up with some unfortunate kind of surprises or experiences, like, you know, so that is, uh,
491
00:40:52,720 --> 00:41:06,720
uh, really important, very, like, you know, uh, at the user level, at the identity level, like, you know, one has to provide the, uh, least privilege kind of a permission.
492
00:41:06,720 --> 00:41:27,720
And, uh, one of the, uh, practice, uh, an organization should have, like, you know, is to assume always, as always, assume breach, uh, the one should, uh, like, you know, keep checking on prompt injection, compromise account malicious AI, usage, and so forth.
493
00:41:27,720 --> 00:41:42,720
Yeah, so for sure, uh, to summarize, like, you know, uh, zero trust is also, uh, really useful for, uh, from any, uh, perspective.
494
00:41:42,720 --> 00:41:58,720
And, um, yeah, we have also, I think we have a lot of security tools, but I think the most famous, uh, Defender, Entra, and a peer view, which roles do these play, these tools play in security environment?
495
00:41:58,720 --> 00:42:05,720
Uh, you mean, uh, uh, role of the tool, like, such as a per view and Defender?
496
00:42:05,720 --> 00:42:07,720
Yeah, and Entra ID.
497
00:42:07,720 --> 00:42:28,720
Uh, for example, uh, per view, uh, uh, one of a kind of, uh, uh, per view is mainly for, uh, data security and governance.
498
00:42:28,720 --> 00:42:41,720
Uh, like, you know, it helps you, uh, classify, uh, and label, protects and governs the data that AI can access.
499
00:42:41,720 --> 00:42:52,120
Like, if classify a kind of R&D related or engineering related kind of research as a confidential
500
00:42:52,120 --> 00:42:59,800
or strictly confidential okay and co-pilot within an organization will not be able to like
501
00:42:59,800 --> 00:43:05,740
you know provide those type of information to any kind of a user which has, which does
502
00:43:05,740 --> 00:43:11,060
not have the permission to see those type of information. So that is like, you know, one
503
00:43:11,060 --> 00:43:22,780
of the beauty of purview, n3id is about identity and of course, access. For example, it will
504
00:43:22,780 --> 00:43:30,900
the role of that tool would be to verify users, device and application before granting access
505
00:43:30,900 --> 00:43:39,260
to AI and data. So at the one and level, like you know, the if that user, for example,
506
00:43:39,260 --> 00:43:47,360
it's an user from the HR department has the authorization to access the HR agent, then
507
00:43:47,360 --> 00:43:53,700
well and good that user will be able to access. However, like, you know, normal user, maybe
508
00:43:53,700 --> 00:44:00,180
like you should not have an access to kind of a sales report or maybe kind of a confidential
509
00:44:00,180 --> 00:44:07,860
agent which deals, let's say, with the salary information okay. So for sure, those user
510
00:44:07,860 --> 00:44:16,540
or maybe that user should not be able to access those data or information related to
511
00:44:16,540 --> 00:44:22,420
I would say another department which is really strictly confidential.
512
00:44:22,420 --> 00:44:28,220
And from you said also defender like, you know, those are from I would say protection,
513
00:44:28,220 --> 00:44:35,660
threat protection. It helps like, you know, detects and dispone to attack targeting identities,
514
00:44:35,660 --> 00:44:45,220
maybe email and some other workload like cloud and all. So and one of the tools also is
515
00:44:45,220 --> 00:44:52,260
security co-pilot very like, you know, again, once more, it helps assist security team by
516
00:44:52,260 --> 00:44:59,100
investigating and summarizing it's in and so yeah. I hope I answered your question.
517
00:44:59,100 --> 00:45:09,380
Yeah, yeah. And what is how can we have speak about the security co-pilot, but how can
518
00:45:09,380 --> 00:45:19,700
companies, money tokens, just simply, there are security, is there something in Azure or
519
00:45:19,700 --> 00:45:34,840
how should I do this? Okay. One of the, I would say, let's say, once we have deployed AI,
520
00:45:34,840 --> 00:45:43,020
how do we know really it's secure? Like, you know, so the continuously monitoring loop
521
00:45:43,020 --> 00:45:52,140
be like, you know, from AI user will access the Microsoft 365 co-pilot, which, which underlying
522
00:45:52,140 --> 00:45:57,140
like, you know, will be accessing Microsoft Graph and Business Data. And that will be like,
523
00:45:57,140 --> 00:46:09,980
you know, on a layer below will be managed by Microsoft purview. From the architecture point
524
00:46:09,980 --> 00:46:16,140
of view, Microsoft purview will be checking like data governance and compliance perspective.
525
00:46:16,140 --> 00:46:22,700
And on top of it, like, you know, there will be, I would say, defender and sentinel, which
526
00:46:22,700 --> 00:46:34,260
will be continuously monitoring, like, you know, what's going on. And that's from my perspective,
527
00:46:34,260 --> 00:46:42,660
like, you know, the loop, which is to be like, you know, which has to be implemented from
528
00:46:42,660 --> 00:46:52,580
the continuously monitoring perspective. And I think also on topic is what a lot of company
529
00:46:52,580 --> 00:47:03,060
think we are compliant, we are secure. But what role do compliance play in security?
530
00:47:03,060 --> 00:47:14,820
Yeah, that's a very good question, like, you know, so, from compliance perspective, like,
531
00:47:14,820 --> 00:47:25,740
you know, let's say, for example, from GDP PR perspective or UF perspective, let's say
532
00:47:25,740 --> 00:47:32,300
a company wants to do business with you. And another company wants to do business and whether
533
00:47:32,300 --> 00:47:38,700
they like, you know, whether they will check simply like, you know, whether you are following
534
00:47:38,700 --> 00:47:45,900
those type of compliance and whether you are from an audit perspective, also, if there
535
00:47:45,900 --> 00:47:53,700
is continuous co-ordinate process, which are established within your organization. And
536
00:47:53,700 --> 00:48:01,700
let's say, from, let's say, one example from cyber-resonance act, like, you know, nowadays,
537
00:48:01,700 --> 00:48:07,500
it is coming in force this year itself, like, you know, so even if you want to sell one
538
00:48:07,500 --> 00:48:13,740
of your product, be it in IoT or maybe kind of a digital product, you will have to comply
539
00:48:13,740 --> 00:48:23,380
because the responsibility will lie, will be on the company who is developing or manufacturing
540
00:48:23,380 --> 00:48:34,820
those products. So, suppose if you are not comply from the, from your, I would say, European
541
00:48:34,820 --> 00:48:41,780
perspective kind of a compliance, which are there, then your, you will not be authorized
542
00:48:41,780 --> 00:48:49,540
to sell or maybe deploy your product or services within the market itself. So, that is really
543
00:48:49,540 --> 00:48:55,540
critical, I would say, from compliance perspective. So, whatsoever, which we talked about those
544
00:48:55,540 --> 00:49:00,260
where, like, you know, internal to an organization, however, from compliance perspective, those
545
00:49:00,260 --> 00:49:07,140
are like, you know, from a customer safety perspective and product safety perspective.
546
00:49:07,140 --> 00:49:15,020
And of course, from the, even I would say, glue, and more on a wider security perspective
547
00:49:15,020 --> 00:49:21,340
because it does not happen that, like, you know, if your product is not secure enough, then
548
00:49:21,340 --> 00:49:31,180
one should, one, it could be really, I would say, harmful to also people who are using those
549
00:49:31,180 --> 00:49:38,340
products directly or indirectly. Yeah, so that is really critical, like, you know, from
550
00:49:38,340 --> 00:49:43,780
compliance perspective to implement those compliance seriously and properly within the
551
00:49:43,780 --> 00:49:54,300
organization. Yeah, and when we, let us run to an incident, responded. Okay. Can you walk
552
00:49:54,300 --> 00:50:03,740
through the first hour of discovering a ransomware attack? You mean how to container and somewhere
553
00:50:03,740 --> 00:50:17,700
attack from the first hour? Yeah. Okay. Yeah. So, I would say the practical framework would
554
00:50:17,700 --> 00:50:25,820
be, like, you know, detect, contain, investigate and with the approval, like, you know, communicate
555
00:50:25,820 --> 00:50:32,060
to your stakeholder, be it internal employees or other stakeholder, and then, of course, recover.
556
00:50:32,060 --> 00:50:38,580
So, for example, if you have a kind of a solid security architecture or, as I know, solid
557
00:50:38,580 --> 00:50:44,580
and they both robust security architecture within your organization. And of course, if your
558
00:50:44,580 --> 00:50:52,180
organization is monitored 24 by 7, then, like, you know, the SOC team will be able to detect and
559
00:50:52,180 --> 00:51:00,780
confirm whether the activity is likely or in somewhere or not. Okay. For example, maybe
560
00:51:00,780 --> 00:51:08,500
you'd be able to, I don't know, validate from defender or better the encryption is really
561
00:51:08,500 --> 00:51:15,980
occurring right now and so forth, like, you know, second would be, of course, if you have,
562
00:51:15,980 --> 00:51:25,380
like, you know, a system in place, contentment will be the highest priority. That means immediately
563
00:51:25,380 --> 00:51:36,380
isolate the infected system or endpoints from the network, identify and, of course, disable
564
00:51:36,380 --> 00:51:48,740
or suspend those compromise user users and block the IP addresses, malicious IP addresses
565
00:51:48,740 --> 00:51:54,780
and, of course, if you have got the segmentation done properly, you'll be able to, like, you
566
00:51:54,780 --> 00:52:01,780
know, stop the last radius and stop the lateral movement, like, you know, by segmenting the affected
567
00:52:01,780 --> 00:52:12,820
system. Next, I would say, start investing, getting, investigating means, like, you know,
568
00:52:12,820 --> 00:52:22,180
review the attack timeline in Sentinel. Yeah, yeah, this is one of the very good use case,
569
00:52:22,180 --> 00:52:27,140
very, like, you know, Microsoft security co-pilot will be able to help you tremendously because
570
00:52:27,140 --> 00:52:31,780
it will help you, like, you know, summarize the incident faster as you ask previously,
571
00:52:31,780 --> 00:52:38,860
like, you know, in how much time it will be able to provide you some useful data. So those
572
00:52:38,860 --> 00:52:44,420
minutes will be the golden kind of hours, like, you know, which will really help you if you
573
00:52:44,420 --> 00:52:51,500
have, of course, a security, a pilot, it will give you a kind of a map and the correlation
574
00:52:51,500 --> 00:52:58,220
between system which has been, like, you know, infected or touched. And, of course, it will
575
00:52:58,220 --> 00:53:06,060
also, you also need to identify the initial entry point, like, you know, how, and when
576
00:53:06,060 --> 00:53:18,620
the attack was occult. And the, I would say, the last minutes would be of the kind of,
577
00:53:18,620 --> 00:53:24,780
but within those hours would be the coordinate to end the skillet, to the task force, like,
578
00:53:24,780 --> 00:53:34,380
you know, maybe notify the executive leadership and the incident response team. You may also,
579
00:53:34,380 --> 00:53:41,340
like, you know, engage depending on the severity of the attack or the incident, like, you
580
00:53:41,340 --> 00:53:48,620
know, engage legal compliance communication team. And, for example, from you perspective,
581
00:53:48,620 --> 00:53:54,700
it's really critical to preserve forensic log, evidence and log, because, as you know,
582
00:53:54,700 --> 00:54:03,900
like, you know, you have a very strong forensic system in place from the government as well,
583
00:54:03,900 --> 00:54:13,020
from the U level as well, like, you know, for those kind of analysis. And, yeah, and, yeah,
584
00:54:13,020 --> 00:54:17,740
from the resilience perspective, one of the very critical point, in case if, like, you know,
585
00:54:17,740 --> 00:54:24,860
your really, your system is really affected, then you may, like, you know, activate the business
586
00:54:24,860 --> 00:54:31,660
continuity plan or the disaster recovery plan to, like, you know, keep business in continuous,
587
00:54:33,020 --> 00:54:42,620
that is, like, you know, one plan, many companies keep forgetting. So, business continuity management
588
00:54:42,620 --> 00:54:49,260
and BCP plan has to be there, because there is no zero risk, like, you know, that no one is going
589
00:54:49,260 --> 00:55:01,420
to be hacked one day or not. Yeah. Yeah. That's also, yeah, a lot of security companies have this,
590
00:55:02,300 --> 00:55:09,340
also, password, autonomous socks, they talk about, and then I ask them, okay,
591
00:55:09,340 --> 00:55:17,820
that we can put in the contract that you can pay the world damage when, when firms, they
592
00:55:17,820 --> 00:55:25,500
hadn't, also, I know. But did you think, yeah, could, could autonomous socks become a reality?
593
00:55:26,620 --> 00:55:37,180
You mean socks as a service or, yeah, from the AI perspective? Yeah, yeah, they say, they arrive,
594
00:55:37,180 --> 00:55:43,980
we have an AI tool that's completely do all the security stuff, it's autonomous, and, yeah,
595
00:55:43,980 --> 00:55:49,740
most, okay, then you can pay, I say, okay, then you can, you can put in the contract, you pay for
596
00:55:49,740 --> 00:55:55,740
the damage, and then they say, oh, no, no, no, no, we don't like this idea. I think you can be
597
00:55:55,740 --> 00:56:11,180
reality. I would say it's a bit ambiguous, Mirko, the question, whether, like, you know,
598
00:56:11,180 --> 00:56:19,580
let me just think, just give me one minute to think, like, you know,
599
00:56:22,540 --> 00:56:41,740
that's an interesting question. I think so, there is a possibility, Mirko, but it is
600
00:56:43,660 --> 00:56:51,980
too, as of today, fully autonomous replacement as a sock is, I would say, it is not yet,
601
00:56:51,980 --> 00:56:59,740
not yet, advised, but, or practical. AI can become the first line analysis,
602
00:56:59,740 --> 00:57:09,740
or it can become the first line analyst in a sock, over the human, the, remain responsible,
603
00:57:09,740 --> 00:57:16,140
like, you know, for the decision making and the final decision making, human in the loop, like,
604
00:57:16,140 --> 00:57:22,140
you know, that is always going to be even whatsoever, like, you know, evolution or technology,
605
00:57:22,140 --> 00:57:29,500
innovative technology, which we are going to be in a future, human has to be or must be,
606
00:57:29,500 --> 00:57:33,820
there as a human in the loop for taking the final decision, I would say.
607
00:57:35,660 --> 00:57:42,780
Yeah, okay, I have an every session I have a lightning or rapid fire route, I say,
608
00:57:42,780 --> 00:57:49,020
something and you give a quick, quick answer. Okay. Okay, past, more or past, what less?
609
00:57:49,020 --> 00:57:59,020
Passwordless. Microsoft Defender or third party tools? Defender. Hybrid or cloud first?
610
00:57:59,020 --> 00:58:03,980
Hybrid. AI assistant or human analyst?
611
00:58:05,260 --> 00:58:10,700
Oh, you said, yeah, yeah, assistant to human, right?
612
00:58:10,700 --> 00:58:17,820
I would say, wow, yeah, assistant with human in the loop.
613
00:58:17,820 --> 00:58:21,740
Okay, zero trust or network parameter?
614
00:58:21,740 --> 00:58:26,220
No, zero trust. Automation or manual investigation?
615
00:58:26,220 --> 00:58:30,380
Sorry, come again. Automation or manual investigation?
616
00:58:31,820 --> 00:58:35,180
Automation with responsible automation, I would say.
617
00:58:35,180 --> 00:58:39,020
Big security password.
618
00:58:39,020 --> 00:58:46,780
Big security? Bus word. Password? Yeah, password, so something like marketing speech.
619
00:58:46,780 --> 00:58:54,540
Okay, password, you mean password, like, you know, I 12345 and so forth. No, no, no,
620
00:58:54,540 --> 00:59:00,620
best, best words like like marketing speech, what are, you know, the biggest security?
621
00:59:00,620 --> 00:59:08,620
I would, the buzzword, okay, okay, I would say, wow,
622
00:59:08,620 --> 00:59:19,820
agent TKI nowadays is like, you know, one of the very buzzword, but from security perspective,
623
00:59:20,540 --> 00:59:26,540
we really need to take care of like, you know, how far we want to go ahead with agent TKI.
624
00:59:26,540 --> 00:59:31,660
And one Microsoft tool everyone should apply tomorrow in their environment.
625
00:59:31,660 --> 00:59:38,460
At least from this, today's topic and from the data from AI, go on as perspective,
626
00:59:38,460 --> 00:59:44,140
I would say go with Microsoft part of you. Okay, and what's the best drink during incident
627
00:59:44,140 --> 00:59:52,220
response? Sorry? What's the best drink during incident response? Lots of coffee, I would say.
628
00:59:52,220 --> 00:59:59,580
Yeah, then my closing question for today, if listener remember only one thing from today's
629
00:59:59,580 --> 01:00:09,500
talk, what should it be? Could you repeat the milk please? Yeah, if listener remember only one thing
630
01:00:09,500 --> 01:00:18,140
from today's talk, what should it be? Okay, AI governance has to be taken seriously,
631
01:00:18,140 --> 01:00:26,700
Mirko, because without, you know, governments, one may lose control of, like, you know,
632
01:00:26,700 --> 01:00:30,700
it is, we'll get just augmented and augmented to which in the organization. Yeah.
633
01:00:32,220 --> 01:00:41,180
Yeah, then, yeah, I say, people find all the information about you and links in the show notes
634
01:00:41,180 --> 01:00:48,540
on the MC 365. And podcast page. And yeah, thank you so much for joining me today.
635
01:00:48,540 --> 01:00:57,820
This conversation was really, really good. Yeah, and I think, yeah, we had so much topics, AI
636
01:00:57,820 --> 01:01:05,900
transformation, security, guidance, just, yeah, thank you so much for being here. And yeah,
637
01:01:05,900 --> 01:01:12,940
have a have a nice day. Bye. Yeah, bye for now, Mirko. Thank you so much. Thank you.















