Business leaders can’t escape the AI ban-or-enable conversation. Artificial intelligence tooling, apps, and chat bots offer a research assistant, text generator, graphic designer, and data analyst all in one—bolted on to every digital tool your business already leverages.
But what does thoughtful design and implementation look like? What are the implications of allowing AI access to internal data libraries?
AI implementation needs policies and procedures attuned to your organization’s business model, industry, and data infrastructure. We believe Microsoft’s tool stack makes data governance and security far easier than stitching together point solutions.
Security Copilot is Microsoft’s generative AI complement to its unified security platform. Instead of adopting any open source or product add-on AI tools, Copilot maximizes the power of Microsoft’s security platform. We recommend enrolling all devices through Intune to enforce digital compliance controls and company-wide patching, monitoring devices through Microsoft’s Defender for Endpoint, and triaging alerts + configuring detections through Sentinel.
Device enrollment: Microsoft Intune
An important part of thoughtful AI implementation is security governance and compliance. Accelerating business operations can also lead to bigger mistakes. Depending on the industry, Intune implementation should follow GRC (governance, regulation, and compliance) controls like NIST frameworks, SOC 2 audit guidelines, and digital and operational architecture standards from TSA, SCADA, and others.
Microsoft Intune enrolls and manages personal and corporate Windows, macOS, iOS, iPad, and Android devices across a business’ cloud landscape. When Intune is aligned to an organization’s leadership and department structure, it can control configuration management, compliance state, application deployments, software updates, and more from one central system. As a precursor to AI implementation, Intune allows security administrators to manage and update devices to adhere with standards and configurations.
Monitoring and alerting: Microsoft Defender for Endpoint
Where Intune enhances device management and controls, Microsoft Defender for Endpoint allows administrators the visibility they need to help detect and remediate active threats accessing a business’ digital real estate. Defender for Endpoint discovers devices on a network beyond the designated enrollment time, alerting security to new computers, cell phones, and smart devices trying to gain access. It also provides the security operations center (SOC) simple steps to remediate devices not allowed on the network. Within the dashboard view of Defender for Endpoint, security teams can query endpoint alerts and perform threat hunts.
Beyond physical devices, Defender for Endpoint restricts apps or app activities in line with an organization’s governance and compliance directions outlined by Defender for Cloud Apps. It’s the dashboard for a unified SecOps tool that equips security teams to understand and lower threat exposure.
Triaging alerts + configuring detections: Microsoft Sentinel
Sentinel is Microsoft’s security event and incident management (SIEM) solution. Within Microsoft’s cloud platform, Azure, Sentinel ingests and responds to monitoring and alerting queries. Azure houses log analytic workspaces, gathering data from a multitude of sources, including Microsoft Intune and Microsoft Defender. SOC teams leverage Sentinel to automate and respond to security incidents, tracing patterns from the data Defender for Endpoint and other tools within Microsoft’s XDR solution send.
Security teams implementing Sentinel must decide whether to use an existing log analytic workspace or to deploy a new one. Optimizing for cost, usability, regulatory requirements, and data boundaries affect deployment.
Depending on the regulatory requirements governing Azure geography, security teams may need to stand up multiple Azure workspaces. Certain countries bar data transfer across borders (even digital ones). If an organization hosts multiple tenants, multiple workspaces may be necessary.
Data boundaries, or differences in access permissions within Sentinel, should also be considered. If administrators need to see how the system is performing and the security team also needs data visibility, including data the admins aren’t allowed to see, configure a data boundary within Sentinel.
The last step in Sentinel deployment is data normalization and ingestion. As questions like What data should we ingest? What data is already in the log analytic workspace? and How should we ingest that data? Copilot already supports detection creation (called analytic rules in Sentinel) and threat hunting. We predict Copilot will eventually support ingestion-time data normalization and query-time normalization.
Post-configuration, Sentinel serves as the monitoring hub for tracing data, cloud, and app access across the organization. It’s critical for your organizations’ security team to know what data enters and exists Copilot, something Intune, Microsoft Defender for Endpoints, and Sentinel provide.
Prepare for Copilot
Before implementing Copilot, businesses need a complete picture of their threat exposure. Deploying Intune, Microsoft Defender for Endpoints, and Sentinel start the process by providing SecOps monitoring and alerting. Understanding cybersecurity risk should inform AI implementation. Ascent’s AI Readiness offer equips attendees with the considerations necessary to safely integrate AI into their business. Reach out to info@meetascent.com for more information.
