Start-up Helps Combat Analyst Alert Fatigue
SOC overload is a major problem. The efficiency of modern detection systems often leads to a large number of alerts – most of which are false positives, but all of which require triaging by hard-pressed analysts. A new start-up offers a partial solution.
GreyNoise, which describes itself as an “anti-threat intelligence” company, helps analysts distinguish between malicious and benign internet traffic and the alerts triggered by security defenses, allowing SOCs to differentiate between those events stemming from harmless internet ‘noise’ and those that have a malicious intent.
“Security analysts are overwhelmed with alerts,” comments GreyNoise founder and CEO Andrew Morris. “Every machine connected to the internet is exposed to a constant barrage of scans, web crawls, probes and attacks from tens of thousands of unique IP addresses per day. This ‘internet noise’ is generated by both good guys and bad guys, and it triggers security tools to generate thousands of events to be analyzed, with little context on the potential threats. Analysts waste hours differentiating between targeted attack traffic and background noise alerts.”
GreyNoise operates an internet-wide network of sensors– similar to honeypots – that monitors and correlates incoming traffic. This allows the firm to add context to the incoming scans. The network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day.
Morris told SecurityWeek, “If we see some activity occurring on lots of these sensors, and we see that the customer is also seeing this activity on its own network, the implication is the activity is probably hitting everyone on the entire internet — completely opportunistic and indiscriminate. The customer can safely assume that it is an untargeted attack.” Or it could even be researchers scanning the internet as part of their own activities.
GreyNoise does not consume any of the commercial malicious IP lists for its operation, preferring to make its own decisions. It does, however, generate its own list of ‘malicious but opportunistic’ IP addresses that it sells.
Over the last 90 days, GreyNoise sensors have analyzed almost 3 million IP addresses scanning the internet. Most were found to be benign or indeterminate – but only 10,000 were identified as malicious. Traffic deemed potentially targeted and malicious receives further analysis and the results are delivered to customers.
This scale of reduction in the security defense alerts reduces the workload on SOC analysts, and allows them to immediately focus on the genuine threats.
The firm has an interesting business model – a free version that operates as a try-before-you-buy model, with no commitment to buy. It now has 73 paying customers with 2,000 different companies using the free service (increasing by about 100 new companies every month). The conversion rate, from free to full commercial product, is impressive. “The enterprise version is now used by around 70 organizations around the world,” said Morris, “including governments, ISPs and security firms. This has grown by more than 100% over the last 12 months with customers such as Airbus, Lumen and the Defense Innovation Unit (DIU) of the U.S. Department of Defense.”
The last is considered particularly relevant to the growth of the company. “I’m very excited about cracking the nut of working with the defense and intelligence communities of the US federal government,” writes Morris in an associated blog. “We already work with a number of intelligence and defense agencies around the world… but these new relationships really serve to validate the value of our solution.”
The growth rate of the firm has attracted the interest of CIA-backed In-Q-Tel, which has become a partner and investor (although no financial details have been disclosed). Ron Gula (co-founder of Tenable), a serial private investor who has also invested in GreyNoise, told SecurityWeek, “I’ve known Andrew Morris and his team for several years now and they’ve done a great job bringing a unique threat offering to market in a competitive environment.”
GreyNoise, headquartered in Washington DC, was founded by Andrew Morris in September 2017. It raised $4.8 million in seed funding in August 2020, with investment led by CRV and participation from Paladin Capital Group and angel investors Oliver Friedrichs, Ron Gula, and Sounil Yu, the former Chief Security Scientist at Bank of America.