Microsoft Secure 2024 was a digital two-hour event held on 3/13/2024. If you missed the event, you can watch the recording on demand (here).

The big news was that Microsoft Copilot for Security will be released for general availability on April 1st 2024. The announcement for GA is located (here).

Pricing was announced in a separate Tech Community post (here).

“Copilot for Security capacity is anticipated to be billed monthly via a new Security Compute Unit (SCU) at the rate of $4/hr.”

Interested customers are encouraged to reach out to their Microsoft sales executive for more information.

It is no surprise that Artificial Intelligence can help security analysts work faster and more efficient. Microsoft released the results of an economic study which confirmed these expectations. This new study focused on experienced security professionals and expands the randomized controlled trial published last November, which focused on new-in-career security professionals. Both studies measured the effects on productivity when analysts performed security tasks using Copilot for Security compared to a control group that did not.

• Experienced security analysts were 22% faster with Copilot.
• New analysts were 34% more accurate at script analysis with Copilot.
• They were 7% more accurate across all tasks when using Copilot.
• And, most notably, 97% said they want to use Copilot the next time they do the same task.

The four critical security tasks that Copilot will deliver at the time of release will be:

Incident Summarization

Gain context for incidents and improve communication across your organization by leveraging generative AI to swiftly distill complex security alerts into concise, actionable summaries, which then enables quicker response times and streamlined decision-making.

Impact Analysis

Utilize AI-driven analytics to assess the potential impact of security incidents, offering insights into affected systems and data to prioritize response efforts effectively.

Reverse Engineering of Scripts

Eliminate the need to manually reverse engineer malware and enable every analyst to understand the actions executed by attackers. Analyze complex command line scripts and translate them into natural language with clear explanations of actions. Efficiently extract and link indicators found in the script to their respective entities in your environment.

Guided Response

Receive actionable step-by-step guidance for incident response, including directions for triage, investigation, containment, and remediation. Relevant deep links to recommended actions allow for quicker response.

Reference Tech Community Blog (here).

Learn More

Microsoft Copilot for Security

Solutions that include Copilot

I consider myself an early adopter of most Microsoft security controls, not just to protect our own organization, but with the goal to help the community understand the potential benefits and impacts of various configuration options.

After I enabled the new Entra Conditional Access “Authentication Flows” block policy, my mobile phone could no longer sign into the Outlook for iOS or Teams mobile applications.

The error message I received was “You don’t have access to this. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, location, or an authentication flow that is restricted by your admin.”

That’ when I knew that the change I had rolled out about 6 hours earlier was probably the culprit. I immediately reported the findings to Microsoft and began working with the product group to identify the root cause. Essentially, the behavior is expected if the mobile phone apps were registered using one of these flows.

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices. But in some cases, mobile phones can use these flows to register apps like Authenticator in Passwordless mode.

My recommendation is to enable this policy in ‘Report Only Mode’ OR review the past sign-ins to see if these events have been happening in your environment.

In the Entra Sign-in logs you can now filter for authentication flows to see if which users are signing in with these flows.

The quick fix would be to exclude the users who may be affected. In my organization, it was just one user who was impacted. If you want to get more granular on the exclusion, exempt only the specific device ID’s from the DCF CA policy and then create a second standalone “require compliant device” for those specific device ID’s (assuming they are corporate owned devices). Essentially, whenever there’s a “require compliant device” policy in place, DCF is automatically blocked. This is because MSFT cannot verify the registration state of devices as part of the DCF flow. Thus, a managed device pass the compliant device requirement but any further DCF attempts should be blocked for that specific device. For unmanaged BYOD devices, then you normally can’t use the “require compliant device” policy since that would require full MDM device enrollment (most organizations with BYOD policies cannot or do not want to fully manage a personal device).

Merill Fernando (@Merill) posted on his X account a helpful diagram on why blocking Device Code Flow is important.

References:

Microsoft Documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows

Dirk-jan Mollema (@dirkjan) https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/

@fabian_bader’s blog post https://cloudbrothers.info/en/protect-users-device-code-flow-abuse/