Cyber defense used to be written in codes, playbooks, policies. Now it is written or spoken in prompts. A sentence can now accelerate a threat. Configure a policy, configure policies, and even expose secrets. What an honor to be here at the Prompt Engineering 2025 conference. My name is Cynthia Kyo to a cybersecurity architect with years of experience in managing identity and assess management. As data security. Today I'm going to be discussing about how security co-pilot reinvent cyber defense using prompts from prompts to protection. Let's face reality with the. Evolving landscape. We have about 7,000 password attacks per second, not minutes. This is like having 7,000 doors open. Ling, while you are still thinking about how to close the last one. 83% of organizations, we have more than one breach in their lifetime. This is not a scare or a threat, and this is not a probability of if it's when and how often this breach is going to happen. 80% of executives are living in fair due to AI leaked risk Employees partners are now putting prompts, inputting sensitive information into ai. This is a big challenge and I like to call it the pressure cooker. We are currently facing the pressure that organizations are facing, the pressure as an enterprise that we are facing, and the pressure as security analysts and security defenders that we are facing present. It's becoming very overwhelming for defenders, for analysts. AI is moving at the speed of light, so also attackers are making use of ai. AI can now draft. Phishing male emails even better than humans, difficult to track. Analysts are drowned, are flooded with alerts, both false positive, both those that are critical with fatigue. Even the best team cannot manage the flood of alerts. Or manage or check security loopholes within the organization. The issue or the challenge is in that security professionals are not skilled or the threat landscape and attackers are now moving at the speed of light. It becomes difficult. Analysts to follow through. Because this era requires managing a lot and managing context, defenders need to operationalize ai Since attackers are now weaponizing artificial intelligence. I said earlier that those that the previous slide shows the pressure organizations are facing, this is showing the current pain point of security professionals facing this. It requires analysts to be able to manage the security landscape at scale and also at machine speed. To be able to combat the speed in which attackers are exploiting loopholes in our organization with the use of artificial intelligence. Since ai, the same force that can be used to weaponize, our organization can also be used to amplify our organization. To manage our security posture. As a Microsoft certified Information Security administrator, I make use of Microsoft security copilot, and I taught it to share, use it as a case study to see how AI can become our teammate and a force multiplier with artificial intelligence. Prompts can now be turned to policies, some risk to strategies, and even recommendation and response to resolution. Imagine the frustration that analysts are facing with the landscape changing. Attackers becoming so fast. Leveraging artificial intelligence to exploit our organization, it now becomes very important and critical for security analysts, security professionals, to leverage the use of artificial intelligence as a force multiplier in our organization. Instead of checking or searching for alerts manually. With the use of artificial intelligence and leveraging prompts, a security analyst can decide to type in natural language to assess the security posterior office organization, or the environment like asking what, who are the most suspicious or high risk users in the organization. This now becomes a way to manage gaps. This is not automation. I call it argumentation. Helping security professionals to leverage artificial intelligence in order to be able to manage our landscape at machine speed and at scale, leveraging the use of intelligence in a smarter way because attackers. Weaponizing using artificial intelligence and defenders, we need to operationalize as well using artificial intelligence. This requires us to be able to understand context, to be proactive and to utilize intelligence market. With Microsoft Security copilot, you can integrate it across your endpoint from Defender Purview, Microsoft into a lot more to assess your identity and assess management, to assess your data posture, to assess weak points and vulnerability within your ecosystem. Then. One of the silent, I call it the silent and most dangerous drifts. All loopholes that organizations have is conditional assets drifts. Imagine you are in a large enterprise, users are onboarded. They change rules and sometimes even exit the organizations users in the course of changing rules are acquiring different rights, admin rights. What about application drift in your organization where you have applications deployed into the organization and they are not covered with conditional access policies All. We have redundant policies, duplicate policies, all these are quiet ways in which attackers can leverage these loopholes to assess our organization. When users are not covered with proper policies like multi default authentication, attackers can easily compromise those. The identity of those users to assess our environment. What's about having different policies that are obsolete, duplicate policies, conflicting policies. It becomes very difficult and messy to manage. And as a security analyst and professional, I can tell you that it. It is also very difficult for the human eye to detect such loopholes, and that is why Conditional Access Optimization agents basically manages these drifts. User drifts, application drifts and manages policies to ensure that these policies are consolidated. And all this do not create loopholes and vulnerability. Within our organization, it creates that awareness, that context, to understand the ecosystem, to see gaps immediately and respond to it before it becomes a breach or an access point for attackers to leverage now. Let's go straight to the demo to see how conditional access optimization agent works. Right now I'm going to show basically. The use of conditional access optimization agent. I'm in the Microsoft intra tenant, and here you can see users at high risk. In my tenant, I have 54 user detection with high risk level. So now I'm going to go straight to agents. I click on this, go to agents. It takes me straight to the conditional access optimization agent where I can check for user drift to see users that are not covered by conditional access policies, like multi authentication to see applications deployed in the organization that are not covered with this proper policies and even check for policy Mer. So here. With conditional access optimization, it shows me the performance highlights. Right here I can see I have one 20 unprotected users discovered. This is AI. At work, I can also see activities that have been carrying out by the agent. Extent of the where you see a security analyst drowned with a lot, drowned with managing floods of configuration and policy with the agent on guard 24 hours. The security analyst can also take a break as well. So here I can view the activities of the agents. So basically this shows me the activity of the agents. From seeing what it did from the conditional access optimization engine, seeing the policy user drift, you can see it scanned users within the last 24 hours. You can see these activities, so let's go straight into subjections. That is where I like to show more. These suggestions basically scans your environment. And tells you where there are gaps, and also give you recommendations on how you can apply policies to cover these gaps. So now I have here there's a recommendation or a subjection saying how two users to existing policy require MFA for financial apps. For high, medium, and low risk signing user. So there is a financial application used in the organization and before users should assess that application. The condition access optimization is suggesting that two users currently have not been added to those PO to that policy. So that is a gap. So with this, I can now apply the subjection. So it basically even gives me an explanation that the policy requires users to complete multi-part authentication. All I have to do is to click this and apply the subjection, and it shows that the subjection has been applied. So now those two users are now covered by multi authentication while assessing. This financial application, so basically conditional assets optimization, it covers across user drifts, your application drifts, and even consolidates policies. That is the beauty of AI when used in cyber defense. Next I want to talk about is going straight to our data. Now that we've seen how to manage identity and assess management, managing gaps within our loop organization, from application drift to policy drift, and to policy. Loopholes to even user drift data move across like our organization from your SharePoint to your teams, to your Outlook data move across, and that is where Microsoft purview and the security copilot comes into play. Basically managing the data governance and data security. Of our organization leveraging data loss prevention to ensure that there is no expiration or data oversharing of sensitive information so that executive wound fear AI leakage risk, or managing insider risk across ano loss activities of users checking for intentional or unintentional. Activities carried out by users and tracking it in real time with security. Copilot prompts can then be leverage to even assess users that are not covered by data loss prevention policies or assess the sequence of activities that users have carried out or a nice insider has done. In seconds, you can see what they've done. Either they downloaded documents. If they send sensitive documents to their personal emails. So that is the beauty of where we use data governance, leveraging artificial intelligence and making it conversational in real time. Let's look at the demo of how this is done. Now I'm taking you to the Microsoft Power View. I'm going to click on Solutions, and here you can see copilot is right here for us. I'll click on Solutions right away and click on data loss prevention. So basically data loss prevention is checking for. Data exposure to see information that has sent out of your organization or even within your organization. Sensitive information gives you that real time, a lot for you to check it, and you can also create policies when you notice these gaps in your organization. First, I'll click on policies. Now with copilot, all I have to do, I can get insight on the existing policies I have deployed in my organization. I don't have to go around searching around. All I have to do is just click this, get insight on policies. I'm going to click get insight on policies in my organization. I've done that and I can leverage either getting insight. Based on location, based on the classification of data. So if I want to get insights on my location, lemme check by endpoint, for example, I click this and it generates this for me. It says, it gives me information around the policies. So what I can say here is. Your policies are looking for data in location, in the location of endpoint devices with a total of 16 policies applied to the location. So I already know the number of policies applied to that location. It shows me the type of information from financial data, privacy and person. So I have details of the classification and all. I can also go ahead and get insight based on another location, maybe exchange teams and all that. Then let me click on alerts here is easy, so easily get information on alerts. For example, if our policy has triggered something, it can, I can easily get that information here. So I click on this and let's check this first one. DSE policy. DLP Policy match for a document, POS lever, I click this. So this is a document. Apparently a user was trying to, or an employee was trying to download this document on a device. And is a sensitive document, the POS lever document. So all I have to do is to come in here, go straight down and summarize the alert. So all I click this, summarize. Summarize a lot or summarize user activity. So I want to see a summary of the alert. It's already telling me that this is a high severity DLP alert, and the next thing I can also do is give me details of the policy as well. Data match for the document. So with prompts, you can easily get this information within me seconds. So something that will take us as you get it within seconds. I can summarize user activity. So see what the user has been up to. So here. This shows that this a, this like a insider risk. The user is found to be involved in inspiration activities on that. On the same day, the user sent emails with attachment outside the organization. The user uploaded files to cloud storage, which included files that were sensitive. So it gives me the sequence of activities. Collection of unusual volume of sensitive files. They also engaged in deleting files. So it was a sequence of activity of where the user uploaded information, sensitive information into the cloud, sent that attachment outside the organization and then went ahead to delete those documents. So this is more oh, maybe I disgruntled the employee who is exiting the organization. And is not happy. So with this prompt it has been, I was able to get this information in real time just using words. So security co-pilots and prompts are changing the way in which we manage our security landscape, making it easier for security professionals. Security analysts to move faster and at the pace in which attackers are exploiting our ecosystem. Just like I have talked about prompts, prompt is also like a new perimeter. Now, we also need to safeguard this prompts and audit every activities or prompts. Done by security analysts to ensure that it is not compromised, ensuring that there is auditability of every process and treating security copilot as a privileged assess surface because security copilot is now is our teammates. So we need to track every activities and ensure it is covered with the proper policies. As well. There should be need with critical pilots. Visibility and speed must co exist. There should not be in isolation so that while we are leveraging prompts to combat security challenges and work at the speed of light, we can also ensure that our security copilot is protected as well. AI isn't here to replace us. It is here to reveal where we must evolve because attackers already speak AI fluently. It's time for defenders security professionals to also do from prompts to protection, from noise to insight, from reaction to resilience. If we can't out cold attackers, we should outthink them. And the new language is our words. Leveraging prompts to combat security challenges to combat the trade landscape, leveraging prompts. As our weapons defenders don't fail from lack of skill. They fail from lack of skill, lack of context, because they can't manage the speed in which these floods and alerts are coming in. So encourage everyone to leverage the user's prompts in mitigating security. In managing our security posture as it'll save us a lot of time and ensure that we become proactive rather than reactive. Thank you very much. Feel free to connect with me on LinkedIn, and it's been a great pleasure to be part of the Prompt Engineering 2025 conference by.