Artificial intelligence (AI) and large language models (LLMs) continue to be among the most discussed topics in the tech industry, including among cybersecurity practitioners and vendors. Much of the discussion is on AI’s risks and how it can be leveraged by malicious actors. But there’s also a lot of talk about its promise, in particular about what AI and LLMs can do for defenders and to help outpace attackers.
One company demonstrating exactly how to best harness AI and LLMs in cybersecurity is NetRise. NetRise is a cloud-based firmware security tools provider, focusing on aspects of the digital supply chain that are often overlooked such as firmware, software powering hardware devices, and Internet of Things (IoT), which are widely pervasive and concerning. Firmware is code that is embedded into hardware to allow it to function correctly. It’s an aspect of the supply chain security landscape that generally is taken for granted, despite being widely targeted by malicious actors.
Enter Trace
Recently NetRise announced the release of Trace, an AI semantic search feature on the NetRise platform. NetRise’s Trace capability builds on already promising functionality that the NetRise platform brings to the market. This functionality provides context-rich vulnerability insights for firmware, software, and IoT devices to drive prioritization by integrating sources such as the Common Vulnerability Scoring System (CVSS), CISA Known Exploited Vulnerability (KEV), and Exploit Prediction Scoring System (EPSS).
One of Trace’s most innovative aspects is that it doesn’t just rely on signatures or known vulnerabilities but lets users identify risks based on the intent of malicious actors as well as identify heretofore unidentified flaws and vulnerabilities, as well as misconfigurations. It does all of this by leveraging natural language processing (NLP), to demonstrate the relationships between devices, files, and libraries that may be of interest to practitioners and defenders looking to mitigate the impact of the rising software supply chain threat.
It’s often quipped that defenders think in lists and attackers think in graphs. This is why it is refreshing to hear that NetRise’s Trace capability can create comprehensive graphs of impacted assets, allowing users to see the impacted assets and the interdependencies and relationships among them, something that is incredibly difficult to do strictly from the use of a list.
Through the use of natural language processing, Trace users can ask questions in the context that make sense to humans and let the NetRise platform do the heavy lifting of presenting findings that are context rich and environmentally and organizationally aware, arming practitioners with specific actionable information to drive down risk.
NetRise proudly boasts that Trace is “the first solution to integrate AI-driven semantic search, supply chain impact analysis, and vulnerability validation by utilizing large language model (LLM) capabilities”. As security vendors raise to integrate AI into their platforms and products, and software supply chain attacks continue to rise and be among the most discussed risks in the industry, Trace is perfectly positioned to leverage this innovative emerging technology on this specific problem set.
Final Thoughts
The idea of practitioners manually combing through their organizational assets, data and vast inventory of open-source software packages and associated vulnerabilities is overwhelming, so leveraging AI for this use case can save tremendous time and resources while quickly identifying the most concerning organizational risks. It also lets the user ask intuitive questions in a natural language format, oriented around specific scenarios and risks rather than basic criteria such as vulnerability identifiers such as Common Vulnerability and Enumerations (CVEs).
While many vendors are going to continue to integrate AI, LLMs, and NLP into their platforms and products, with Trace, NetRise has quickly positioned itself as a leading supply chain security vendor capable of empowering users with the latest technologies and innovations. You can find out more from its announcement.