Increasing the Efficiency of your Security Operations – An Interview with GreyNoise Intelligence Founder Andrew Morris
I first met Andrew Morris a few years ago when he was volunteering at a MAVA event. He pitched me his idea for GreyNoise and I really liked it. Being able to track different types of Internet scanning activity so you can remove this noise from your event stream is a great way to increase the effectiveness of your teams and tools. I liked his vision of supporting the community and having free and commercial APIs. Fast forward to now, Andrew was able to complete his initial funding and I am thrilled that Gula Tech Adventures (as an investor of Innerloop Capital) is working with him.
GreyNoise provides context on opportunistic scans and attacks broadly targeting the entire Internet. GreyNoise answers the question "Is this attack hitting everyone, or just us?"
Why is this type of intelligence useful to SOCs and MSSPs?
SOC analysts are busy. They are busy because they have too many alerts. Many of these alerts come from the network perimeter and originate from untargeted, spray-and-pray attacks. GreyNoise contextualizes and filters these pointless alerts, giving the analyst more time to focus on the alerts that really matter. In other words, GreyNoise reduces noisy alerts to promote clean, actionable signal. Below is an example user interface of our public “visualizer” as well as two slides from this presentation which detail several types of benign and malicious Internet activity we track.
Public Web Interface for the GreyNoise Visualizer
Example Benign Activity
Example Malicious Activity
How should SIM, NBAD, TIG (Threat Intelligence Gateways) and other types of vendors think about working with GreyNoise?
GreyNoise provides the most value when integrated directly into the tools that analysts are already using. Instead of giving analysts another application to look at, GreyNoise enriches events from within the SIEM, NGFW, TIP, or gateway. Any alerts that are generated by an IP seen by GreyNoise are highlighted (or, deprioritized), giving analysts additional context.
What is the difference between what GreyNoise users can do for free versus the commercial API?
The free API provides a subset of context on a given IP and only returns a handful of results for any given query. The Enterprise API provides raw data, tags, malicious/benign classification, date ranges active. Additionally, the Enterprise API allows users to search through the data using our custom query language: GNQL
Example gnql Command Line Usage
What is the coolest or weirdest set of Internet scanners you've been able to detect?
GreyNoise tags botnets, Internet cartography organizations, scanner tools, and even operating systems. We see everything that scans the Internet, from the tens of thousands of daily Mirai infections to the hundreds of search engine crawlers used by Google, Bing, and others. But, honestly, nothing was as weird as the mass printer episode.
For more information, visit https://greynoise.io/.
To see how Expel uses GreyNoise to increase their effectiveness, check out their blog post!