Alert fatigue has been plaguing the cybersecurity industry for years.
We spoke with Andrew Morris, Founder and CEO of GreyNoise Intelligence, one of the companies looking to eliminate the internet background noise and alert fatigue for security pros. The company just announced a new strategic partnership with the Defense Innovation Unit (DIU) to optimize the Department of Defense’s (DoD) investigations. Through this agreement, GreyNoise delivers insight to help the DoD identify and understand internet-wide scan and attack activity.
In this Q&A with Andrew, we sat down to discuss why alert fatigue continues to be a problem for the industry, what advancements have been made in finding a solution, and what this new partnership means for GreyNoise and its future.
Alert fatigue has been on the list of top cybersecurity challenges for some time. Why is it such a problem?
Cybersecurity teams are slammed today, and alerts are a huge part of the problem. Too many security tools simply produce large quantities of data to be analyzed, without contextualizing potential threats, and false positive rates up to 50% are the norm. This puts a huge burden on analysts tasked with researching or investigating every alert generated.
MSSPs are experiencing higher rates of false positive alerts, receiving them 53% of the time, compared to 45% in SOCs. The inundation of false positives contribute to alert fatigue, according to a survey from IDC, in partnership with FireEye.
The result is that alert volumes have become unmanageable, and analysts are experiencing data overload, alert fatigue and burnout.
There are several big problems that come out of this unmanageable volume of alerts:
Wasted time - we all know about the critical shortage of cyber security professionals, so anything that squanders their time (like chasing false alerts) is a huge problem. And it's not purely the productivity and cost issue of analysts’ time, it's also the opportunity cost - for every false positive alert that an analyst spends time on, he/she is NOT spending time chasing down a legitimately malicious attack or intrusion. Which brings us to the second problem.
Missed threats - given the high volumes, SOC teams are forced to prioritize the alerts they triage, and low priority alerts often don’t get touched. And in a recent survey, almost half (49%) of all respondents said they turn off high volume alerting features when there are too many alerts for analysts to process, creating the potential for a legitimate and serious alert to be missed. This means that some volume of legitimate threats will be missed, particularly less obvious, and perhaps more dangerous, low slow threats. More than one-third of IT security managers and security analysts ignore threat alerts when the queue is full, according to a survey from IDC, in partnership with FireEye.
Turnover - In a recent survey of SOC analysts, one of the most striking findings was the direct toll the alert overload problem is having on SOC analysts - more than 8 out of 10 reported that their SOC had experienced at least 10% up to more than 50% analyst churn in the past year.
What advancements have been made in order to combat the alert fatigue challenge?
The cyber security industry has gotten pretty good over the years at capturing ever-growing volumes of security telemetry from all the different security products in the organization, across endpoint, network, and cloud infrastructure into the SIEM. Historically, the analysis of this data to detect threats has been challenging, but recent innovations in areas such as machine learning and behavioral analysis hold out the promise of more accurate threat identification.
That said, these emerging technologies are not yet good enough to reduce the decision load sitting on the shoulders of human analysts.
Tell us about GreyNoise's solution approach to alert fatigue. What makes it unique?
Many of the events and alerts generated by security products are caused by servers out on the internet trying to communicate with our internet-facing systems. And what we realized is that a large percentage of these “internet communications” are generated by internet-wide scanners. This is what we call “internet noise”.
What we do at GreyNoise is listen to all of those internet scanners out in the world, and classify which ones are known/benign actors scanning the internet, which are malicious, and which ones we aren’t sure of.
So rather than bringing a new algorithm for re-ordering customer alerts, GreyNoise brings an entirely new data set to our customers. This data provides “ground truth” to customers to identify, contextualize, describe and deprioritize alerts that provide little or no value to the analyst.
This allows organizations to confidently ignore a significant chunk of their alerts, without the worry that targeted threats are getting through. As a matter of fact, one of our customers did the math, and calculated that they were able to reduce their alert load by over 20% with GreyNoise.
How will you be working with the Defense Innovation Unit to optimize the Department of Defense's investigations?
Working with the Department of Defense can be daunting for a small company. The Defense Innovation Unit has been invaluable in helping GreyNoise navigate the process. Thanks to guidance and logistical support from DIU, we are able to connect with the right people, demonstrate our offerings, navigate the process, and ultimately provide more value to the right teams within DoD much faster.
How do you see GreyNoise helping other federal and enterprises in the future?
We hope and plan to be able to help other organizations save analyst time by managing their alert priorities, similarly to how we are helping other federal and enterprise customers today.
Note there are a couple of additional areas of where our customers are finding value with GreyNoise:
Staying on top of compromised devices
Many of the malicious IP addresses we see scanning the internet are actually servers or hosts that have been compromised by a botnet or trojan.
So one of the services we offer to our customers is the ability to monitor their own IP addresses (or those of their partners), and send an alert if we see one of their devices scanning the internet (likely a compromised device).
Tracking emerging threats:
When a new CVE is announced or a new attack is discovered, the GreyNoise research team jumps in and profiles the telltale “discovery” and “exploit” scanning signatures for these vulnerabilities, creating tags to easily identify this behavior. Security teams can then explore our data with the GreyNoise Query Language (GNQL) to uncover tradecraft seen across the internet, particularly for threats that match their infrastructure.
For example, when the F5 vulnerability was announced, GreyNoise quickly created separate tags to identify IPs scanning for F5 BIG-IP devices, IPs checking for the vulnerability, and IPs attempting to exploit the vulnerability. Security teams can assess their exposure as they monitor progressive threat activity.