GreyNoise: The Current Approach to Security Alerts In the SOC Doesn't Scale

GreyNoise Intelligence is helping security operations center (SOC) teams improve analyst efficiency, identify compromised devices and understand emerging threats by giving them unique visibility into “internet noise.”


We sat down with Dan Maier, GreyNoise Intelligence to discuss the evolution of SOCs, the current challenges SOCs face with the explosion of security tools and inbound data noise, and how SOCs may evolve in the future to be more efficient and better defend against more advanced threats.


How have SOCs evolved over the past few years? And how has the increase in cyber activity / remote work during COVID-19 contributed to that evolution at all?


The people in the SOC are overworked. They are exhausted. It is a very hard job. They are getting alerts from a zillion security products. They are desensitized to a massive amount of those alerts being absolutely useless and a waste of time. They are frustrated, and the security industry is not making it any better. We're just making it worse. Here are a few contributing factors:


Low fidelity alerts - Too often, misleading or outdated indicator telemetry results in over-alerting on events with a low probability of being malicious, or matching on activity that is actually benign. One good example of this is low-quality IP block lists – these lists identify “known-bad IP addresses,” which should be blocked by a firewall or other filtering mechanism. Unfortunately, too many of these auto-generated lists have high false positive rates because they lack context and misconstrue benign behavior for malicious.

Another type of a low fidelity alert is the “overmatch”, or over-sensitive heuristic. For example, say an alert gets generated based on the following rule:


“Attack detected from remote IP address 1.2.3.4: IP address detected attempting to brute-force RDP service.”


In reality, what happened here was that a user came back from vacation and got their password wrong three times.


Anomaly detection is a moving target - The theory with anomaly detection is to use machine learning to establish a baseline of expected network and host behavior, then investigate any unplanned deviations from this baseline. While this strategy makes sense conceptually, corporate networks are filled with users who install all kinds of software products and connect all kinds of devices. Even when hosts are completely locked down and the ability to install software packages is strictly controlled, the IP addresses and domain names with which software regularly communicates fluctuate so frequently that it’s nearly impossible to establish any meaningful or consistent baseline. And in today’s COVID-driven environment, the shift to work-from-home has destroyed those previously established baselines. The result? Security products that employ anomaly detection-based alerting with the promise of “unmatched insight” often deliver mixed or poor results. This toil ultimately rolls downhill to the analysts, who either open an investigation for every noisy alert or numb themselves to the alerts generated by these products and ignore them.


Home networks are now corporate networks - The pandemic has resulted in a “new normal” of everyone working from home and accessing the corporate network remotely. Before the pandemic, some organizations were able to protect themselves by aggressively inspecting north-south traffic coming in and out of the network on the assumption that all intra-company traffic was inside the perimeter and “safe.” Today, however, the entire workforce is outside the perimeter, and aggressive inspection tends to generate alert storms and lots of false positives.


What are the biggest challenges facing the SOC today?


The internet is really noisy - hundreds of thousands of devices, malicious and benign, are constantly scanning, crawling, probing, and attacking every single routable IP address on the entire internet for various reasons. The more benign use cases include indexing web content for search engines, searching/cataloging vulnerable services or devices, and other internet-scale research. The malicious use cases are similar: take a common, easy-to-exploit vulnerability, then attempt to exploit every single vulnerable host on the entire internets.

As a result of this noise, SOCs are generating way too many alerts, and every security operation center is too busy. Many of these alerts don't matter very much because they're generated by completely pointless, opportunistic internet-wide scanning attack traffic that's not even a little bit targeted towards them. In our experience, this can make up maybe 20, 30, or 40% of the total alert volumes. But SOCs have a very difficult time separating the signal from the noise.


With GreyNoise, we'll tell you which alerts are “noise” that you can safely ignore. So now you can answer the question: is this alert hitting everybody, or is it a targeted attack that is just hitting me? Now you can identify and ignore the noise, rather than chasing everything. And you can focus on the alerts that really matter to you. GreyNoise is like noise canceling headphones for your SOC.


Talk to us about the importance of integrations. What are the benefits of GreyNoise's integration and partner community?


The security industry is an ecosystem, and a good number of today’s security systems are powered by intelligence data. Maximizing the value of your intelligence assets requires distributing the data broadly into all of your security controls. So whether you’re ingesting the latest threat intelligence into your SIEM, enriching alerts in your SOAR, aggregating your intelligence assets in your TIP, or powering your EDR and firewalls with the latest IOCs, you need to be able to easily integrate this data. This is why we at GreyNoise have worked incredibly hard to make sure our data is easy to integrate and ingest. GreyNoise is delivered through our SIEM, SOAR and TIP integrations, API, command-line tool, bulk data and visualizer.


In the past 12 months, GreyNoise has worked with leading SOC security vendors to deliver or improve a number of turnkey integrations, including Splunk ES, Splunk Phantom, Palo Alto Networks XSOAR, Microsoft Azure Sentinel, Siemplify, Swimlane, Tines, Recorded Future, Polarity, MISP and Anomali ThreatStream. These integrations enable security teams to scale the use of GreyNoise intelligence to reduce alert volumes and provide SOC-wide visibility into suspected threats. In addition to these supported commercial integrations, the GreyNoise community has built out integrations with a number of other security and data tools, including Maltego, Fluent Bit, rstats, GreyWatch (TCP connection monitor), GreyNoisePS (Powershell integration), Machinae (OSINT collector) and many more.


How do you see the SOC evolving next?


The volume of alerts that SOC teams have to deal with is not sustainable. Things have to change to rationalize the situation while continuing to maintain a strong security posture. Here are a few thoughts on how this could happen:

  • Scale our ability to handle more alerts - as the volume of telemetry and intelligence continues to grow exponentially, automation and machine learning is an obvious approach to scale our ability to triage and respond to alerts. There are a number of companies doing promising work in modeling analyst decision making in this area. Keep your eye on SIEM, SOAR, and the XDR space for emerging solutions.

  • Reduce the number of alerts we need to handle - rather than dumping more and more data onto our analysts, we need to find ways to reduce the volume without missing threats. This is where GreyNoise is focused, along with a handful of other companies. We think that there is huge potential to reduce alert volumes by proactively identifying noisy non-malicious traffic, and we’re already seeing reductions on the scale of 20, 30, even 40% with some customers.

The current approach to security alerts in the SOC, requiring analysts to process ever-growing volumes, just doesn’t scale. SOC teams and security analysts are paying the price with alert fatigue, burnout, and high turnover. It’s our job to figure out how to solve this problem. With some of the sharpest minds in our industry focused on the problem, I’m sure we can figure out how to do better in our security efforts by doing less.


###