A Bright Future for Forensic Analysis


I’m going to jump on board the Artificial Intelligence/Machine Learning (AI/ML) bandwagon in this blog and talk about why I’m excited about some of the prospects for this being applied to the compliance and file integrity monitoring data that Tripwire has been specialising in for many years.

An Analyst’s Ally

A problem faced by many security teams is understanding all the signal data collected from their security tools. The risk with “tuning monitoring down” is that you’re often left throwing away data that can be critical in forensic analysis, but in “keeping the volume up” you have to face challenges with spotting interesting data outliers. And whilst visualisations such as dashboards and powerful search-like functionality can get us part of the way, data analysis remains challenging as we increase the volume of data.

Fortunately, AI aided analysis appears to be getting very close. Microsoft’s recent efforts in this field offer what I feel could be a fascinating glimpse of the future – AI co-pilots that help with analysis of security indicators. Such tools seem poised to not just help us find interesting information, but help us to understand it better.

AI and File Integrity Monitoring

Where this becomes particularly exciting for me is seeing the potential to put this data to use in File Integrity Monitoring (FIM).

For example, with the help of machine learning algorithms, a system could be trained to recognize patterns of activity that are indicative of a potential security breach or a change request which is outside of your normal workflow processes. The system could learn to recognize which changes to system files and configurations are normal and expected, and which ones are out of the ordinary and may warrant closer investigation. Over time, as the system continues to learn from new data and adapt to new threats, it could become an increasingly powerful tool for identifying and responding to potential security incidents before they have a chance to cause serious harm.

Our FIM solution, Tripwire Enterprise, is well placed to bring these signals together to supply such intelligence systems with rich integrations that bring together threat sources and change management systems alongside tried and tested change audit rules that provide deep forensic information.

An Experiment

I’ve personally been looking at how to leverage Tripwire Enterprise data with popular vector database systems and found the results eye-opening. Storing data collected by Tripwire Enterprise allows me to query data directly using text similarity. Whilst our data might be novel, it’s possible to find “closely linked” data. In some cases, this is obvious, such as patterns for particular application deployments, but in other cases its ability to spot outliers quickly and easily means we can query for data based on patterns we don’t yet know. Even in those obvious cases, the patterns could still help us validate whether a change request looks to have only affected the expected application.

Tripwire Enterprise already has powerful search functionality, such as the ability to pull back all the monitored executables in my environment. It can also generate a list of all local users on every Windows host, which is incredibly useful to administrators. Adding another layer of intelligence on top to bring together similar data has the potential to make this search function significantly better.

Although such data analysis is still something largely limited to experimental use, these technologies are incredibly close to becoming mainstream, and that leaves me hoping that such experiments like my own are close to becoming a reality in future analysis toolchains.

Looking Backwards and Forward

Whilst it was many years ago now, I recall my studies of Artificial Intelligence at university and the exciting prospects that lay ahead. Twenty years later, it’s exciting to see not just those changes becoming widely available, but also expanding with incredible new use cases.

Having spent many years in an industry where I previously considered AI’s impact to be limited, my excitement is even greater now. AI can create changes that could superpower those getting started in information security, or those already-overloaded security analysts. That these aren’t just theoretical, but practical, real-world changes that a single individual can explore is an added benefit as well.

The fact that such tools are now becoming commonplace means the opportunity to test out what does or doesn’t work has become feasible, and thus the opportunity to innovate far greater. Being able to explore new avenues of analysis today, getting even more familiar with the data that I’ve spent years looking at, and being amazed at what we can now do with it is incredibly exciting. It is something that we should all examine more closely going forward.



Source link