Microsoft 365 Defender is now AI-powered
Since its inception, Microsoft Defender Antivirus (FKA Windows Defender) was considered somewhat of a joke by power users. They would assert that it provided you with the protection of an umbrella in a hurricane. While its deficiencies were often exaggerated, indeed, it didn’t give you the same depth and scope as high-quality third-party solutions.
When Bitdefender retired its free antivirus solution in 2021 (only to release a new free antivirus in 2022), many turned back to Microsoft Defender. After all, Microsoft should ultimately know the best ways to secure its software. It's surprising it took so long for the company to expand the coverage of its Microsoft Defender line, especially, with the largest share of its revenue being made from intelligent cloud computing.
Microsoft 365 Defender is its enterprise-level security solution. Microsoft has recently revealed its AI-powered features.
What is Microsoft 365 Defender?
Windows and Microsoft Defender may have left a bad taste in the mouth of many. We must be able to distinguish between Microsoft 365 Defender and its other line of security products.
Microsoft 365 Defender is a centralized extended detection and response (XDR) solution designed to secure on-premise and cloud-based environments. This means that it provides pre and post-breach security features. At the time of writing this article, it consisted of the following components:
- Microsoft Defender for Identity
- Exchange Online Protection
- Microsoft Defender for Office 365
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Azure AD Identity Protection
Microsoft is one of the key players driving machine learning and AI-based technologies. It’s expected that it would leverage its developments in AI to improve past, current and future products.
Microsoft's Involvement in AI
Cortona is one of the most obvious examples of Microsoft’s implementation of AI. In the early days, its capabilities were quite rudimentary. Today, Cortana features more complex natural language processing and uses the Bing search engine. It is/was included in Microsoft 365, Scheduler, Windows 10, and 11.
However, as of 2020, Microsoft seemed to be moving away from Cortana and changing its strategy for AI. Cortana was removed from the Xbox dashboard and the mobile app was removed from iOS and Android in 2021.
Although Cortana still exists in Windows 11, it has less emphasis. Despite Microsoft recently laying off its AI ethics and society team, this is not an indication of Microsoft abandoning AI. Quite the contrary.
It may seem that the AI ethics and society team were more of a hindrance than they were a help. Unfortunately, pouring resources into lost causes such as Cortana wasn’t helping things advance either.
Microsoft has long held plans to add more AI integrations into Windows 11 and it is also working with third-party developers such as OpenAI to deliver features for its Bing Chat and Edge products.
Microsoft announced Security Copilot just two weeks after the release of ChatGPT-4. This is significant. The new feature uses AI based on ChatGPT-4 and blends it with Microsoft’s own set of security models.
Generative AI is seldom used in cybersecurity. Regardless, most (if not) all AI works by collecting and sifting through mountains of data, organizing it and presenting it in a way that is human perceivable (when prompted to).
This can work for threat detection and neutralization too. AI can respond to alerts faster than human operators can. Its fast data gathering capabilities can also allow it to formulate more effective plans of action. This makes it ideal for training and upskilling novice security professionals.
These are some of the features Microsoft offers with Security Copilot. However, it’s important to note that this isn’t the only area that Microsoft has plans for its generative AI system. On the 16th of March 2023, Microsoft announced 365 Copilot, an AI productivity and writing assistant. It ultimately works on the same basic principles as Security Co-pilot.
While these tools are exciting, at the time of writing this article, they were still in preview and thus, were not generally available yet. Nonetheless, they were still worth demoing.
Despite cutting its AI ethics department, Microsoft is adamant that its focusing on delivering responsible and safe AI. In fact, the company claims that its ultimate goal is to democratize AI so it can be available to everyone. It’s not certain if Security Co-Pilot will be packaged with Microsoft 365 Defender. However, there are definite developments worth looking forward to...
AI Used in Microsoft 365 Defender
It may not be well-known but AI has always been used in Microsoft 365 Defender. Most notably in features such as Automated Self-Healing. Automated Self-Healing would mimic the steps a human operator would take to investigate and remediate a breach.
During its 2022 Ignite conference, Microsoft announced that it would be adding more AI-driven features to Microsoft 365 Defender. It mainly highlighted its Automatic Attack Disruption feature. Microsoft 365 Defender would no longer just act pre and post-breaches but during breaches too.
It works very much like a laser beam security system. It forms a parameter of inspection around hundreds of security data points such as user accounts, endpoints, etc. Once it detects a breach, it isolates the compromised entity to ensure that the attack won't spread. Ultimately, this prevents horizontal and vertical side-channel attacks.
New AI features in Attack Disruption
These new AI-powered tools have been engineered to provide quicker active threat mitigation. It has long been known that cybercriminals have incorporated artificial intelligence to launch sophisticated attacks against organizations. It allows them to release multiple simultaneous phishing attacks and automatically probe endpoints. The only way for companies and developers to stay ahead of these attacks is through more powerful artificial intelligence.
It’s not hard to see why Microsoft is so invested in researching and developing security software that runs on artificial intelligence. In 2023, it revealed that it would be expanding its attack disruption capabilities by adding features that interfere with business email compromises (BEC) and human-operated ransomware (humanOR).
How the New Features Work
BEC attacks occur when a bad actor tries to extract sensitive data or money from a company by impersonating a high-level staff member or business partner. It can be hard for most human operators to detect such attacks.
The Attack Disruption AI can scan multiple endpoints, and quickly find red flags such as if the email message was sent from a suspicious location. Once it detects a threat, it can isolate the hacked account and put a stop to all transactions.
Often, bad actors launch multi-staged attacks that consist of different penetration methods. For instance, they may launch a BEC attack to try to extract sensitive company data such as passwords and account details. They can then use these details to launch ransomware attacks where they encrypt your company’s data or infrastructure, essentially holding it hostage until you pay these cybercriminals a fee.
The best way to thwart these system compromises is to prevent them from spreading. As soon as the Attack disruption AI is alerted to any indication that your system has been penetrated by a humanOR, it isolates the threat and locks it off from the rest of your system.
Ultimately, AI is faster, more efficient, and more accurate than human operators. It can only get better over time. Microsoft 365 Defender’s Automation Attack Disruption doesn’t’ completely take control from you. It’s configurable and it refrains from holding or impairing network-critical assets.
The potential of widespread AI is a scary prospect for many people. However, AI has already integrated itself into our lives in very subtle ways. Solutions such as ChatGPT showed us just how AI can help us and not just in novel ways. Microsoft embracing democratized artificial intelligence can only have a net positive effect. 365 Defender’s Automatic Attack Disruption is proof of this.
Lee Li is a project manager and B2B copywriter with a decade of experience in the Chinese fintech startup space as a PM for TaoBao, MeitTuan, and DouYin (now TikTok).