Patrick Gray:
Hi, everyone, and welcome to this special "Snake Oilers" edition of the Risky Business podcast. My name is Patrick Gray. Snake Oilers is is the podcast series we do here at Risky Biz HQ where vendors give us money so they can come on the show to tell us all about their stuff.
In this edition, we'll be kicking things off with Andrew Morris. He is the founder of InfoSec startup darling GreyNoise. GreyNoise is a super interesting idea. Basically, they collect all of that background noise about mass scanning and attacks that are happening on the internet so that you can deprioritize investigations in your SOC when you know that the activity that's generating alerts is internet-wide nonsense.
GreyNoise, like most of the good startups, is based on a simple idea. SOC teams get railroaded pretty regularly by alerts that later turn out were generated by internet-wide baddies. So you see a brute force attempt on SSH. And you know, that's the sort of thing that you're probably going to investigate and it's going to burn time, right. So GreyNoise exists so that you can instantly know whether or not the activity you're seeing is targeting you or targeting everyone, right? That is useful, actionable information. GreyNoise founder Andrew Morris joined me to talk all about GreyNoise, and here he is, this is a great interview, I hope you enjoy it.
Andrew Morris:
So every security operation center is too busy. One of the reasons that they're all too busy is that they have way too many alerts. And a lot of these alerts just don't matter very much. They provide very little investigative value to the analyst. And we're going to tell you which of those alerts don't matter, so that you can focus on the alerts that matter more. And the amount varies. But the way that we're going to do that is we're going to contextualize and optionally deprioritize alerts that are generated by opportunistic internet-wide scan and attack and crawl traffic of all of these devices on the internet that are opportunistically scanning the entire internet. This barrage of scan traffic, crawl traffic, attack traffic, hitting everybody on the entire internet. And we're going to highlight that kind of stuff. And we're going to allow you to eliminate that from your security products, or optionally, look at your data minus that, so that you can focus more on the targeted things that matter more to you and your organization.
Patrick Gray:
So I'm going to be the SpongeBob GIF and point my finger at you and go, "Isn't an attack an attack? Why would you want to deprioritize stuff just because it's automated?
Andrew Morris:
Yeah, I mean, it's a very valid point, right? So the reason is, because we just don't have enough time. There's just literally isn't enough time to get to all of them. So in an ideal world, you absolutely would. There was actually a time maybe 10–15 years ago, 15-ish years ago, where somebody scanning your network on the internet. That was kind of a big deal. That was the kind of thing that you'd want to be like, "Wait, I want to know."
Patrick Gray:
Ooh, a port scan. Flag an incident. Oh...
Andrew Morris:
Yeah, like someone's scanning me, now I should know I can pay attention to that. I can look at where are they scanning from, what are they scanning for, right? And that was just a long time ago. And now we are the internet is so noisy. And there is there are so many things that are happening on the internet. And the internet networks are much larger. And there are literal companies that are built on scanning the internet like Shodan, Censys, all of those, right? There's so much noise on the internet now that it's simply impossible to address and triage all of the alerts that are going to be generated by events like this.
So we're just giving our users and our customers the ability to say, okay, they're still there, they're still happening. But let me see what my network looks minus all of those. Let me see the ones that are just hitting me specifically. Let me start there. And then let me come back to those as time permits, right?
Patrick Gray:
Yep. So I guess what you're saying is today's internet-wide password spraying is the equivalent to port scanning 15 years ago, it's just noise. It's always there.
Andrew Morris:
Yeah, pretty much. And it's still effective. It's still the kind of thing that you need to know about. But if you are being compromised by opportunistic attacks...
Patrick Gray:
You've got problems already, yeah.
Andrew Morris:
You got way bigger problems to worry about than SOC efficiency, right? You're not ready for to use GreyNoise. We understand that completely. But as soon as you get to that point of, “OK, now I'm building things out. And I really want to get this right. And I want to try to scale the SOC team, and I want everybody to be as efficient as possible.” That's when your GreyNoise is going to be something that's going to be really useful for you.
Patrick Gray:
So what's the number one sort of thing that you would tune out?
Andrew Morris:
The number one thing that I would tune out, I would say, especially if you're looking at, OK, so you're looking at the devices that are tripping IDS alerts, or that are tripping any of your different detection logic, etc. The first thing would be all of the benign scanners. So all of the Shodans, the Googles, the universities, things like that, which are organizations or individuals who are scanning and crawling the internet for legitimate reasons that have followed all of the good internet citizen – I don't want to say rules, but kind of principles.
Patrick Gray:
I want to cut you off, man, because I'm sitting here and I'm about to weep salty tears, because you're telling me that most IDSs don't tune that out already. I'm rubbing my temples, ahhh...
Andrew Morris:
So the issue is, the answer is absolutely not, IDSs absolutely do not. And again, there was a time where somebody that was running a vulnerability check, or checking for the existence of a vulnerability on your network, was a big deal. Now, every single attack surface discovery and every single attack surface monitoring, and every single third-party risk company ever, is checking for vulnerabilities on your network already, right? So unless all of the different IDS companies or network detection companies are themselves maintaining the list of where everybody's doing this from, and controlling that...
Patrick Gray:
This is a really interesting point that didn't occur to me before. You just said it right now, right? Which is there are just so many of those actors, that you kind of do need a third party to keep an eye on that stuff.
Andrew Morris:
This problem is hard enough to build an entire business around. lt's easy to build 40–50% GreyNoise in a couple of weeks with maybe a handful of people, but then getting it right consistently at scale is actually insanely difficult. It's very, very hard.
Patrick Gray:
Yeah, no, so that makes sense. So you want to knock out your attack surface scanning companies, right. I think you mentioned Censys was one, there's other ones...so you want to eliminate them. What next? Because that stuff is absolutely benign, it's not malicious, A Shodan scan is not malicious. So what next?
Andrew Morris:
Yeah, that's a good question. So I'd say after that, outside of the benign classification, when you have any kind of alert that's raised in the SOC, an alert is raised but it is not a successful exploitation. So you don't you have some reason to believe maybe you're not actually running the software that the exploit is attempting to take advantage of. So exploit was thrown, attack was executed, probably wasn't successful. Spend three seconds looking at that, and then immediately move on to the next.
Patrick Gray:
How do you do that? Right? Because I would have thought the context that would allow you to make that decision is based on knowing what you're running, as opposed to, you know, data source from you as an external party.
Andrew Morris:
On your network, you're probably going to have alerts that are gonna get raised Is that are from IDS signature packages or threat intel that you're using, where it's gonna say, "Hey, this IP address is doing something funky on your network." And you're gonna want to check that for a second. And you're gonna say, "Okay, this doesn't matter to me, specifically to my organization. And also, it's happening to everybody in the entire Internet. So I don't need to care about this." I don't run this software (A); and then (B) this thing isn't even hitting me specifically...
Patrick Gray:
I guess what I'm asking is you help with the B, not with the A.
Andrew Morris:
Yeah, that's right. We I mean, I can't tell you what you guys are running on your network...
Patrick Gray:
Yeah, that's all I was getting it right. So that makes sense, right? So So for every sort of SIEM alert, can you get some sort of context around how prevalent you know, that particular alert is in other people's SOCs, right? So you can see that of our customers, this has hit like, 50% of our customers in the last, you know, two days. So is that is that the information you get?
Andrew Morris:
Yeah, so we do that separate. So the data that we collect firsthand from our big collection network. So this is how GreyNoise works, we operate this gigantic network of what we call passive collector sensors. They're kind of like honey pots, right? And we run these sensors in hundreds of data centers all around the internet. The data that we collect firsthand is just analyzed ground truth of the traffic that we're seeing in all these different places. Now, separately, we have a tremendous amount of data that's after-usage data of all of the things that all of our customers are asking us about. And there's a level into that, that we would like to eventually be able to bubble up to customers as well, of basically, "Hey, you know, you just asked us about an IP address that you're seeing do some funky stuff on your network. We've actually never seen it before. But we can tell you that like nine other organizations is in the same vertical as you saw this at about the same time." Right?
Patrick Gray:
That's interesting context, yeah. This is this is stuff that various vendors have tried to do, but always within the confines of their own products, if that makes sense? So this is yeah, all the antivirus companies got really excited about trying to capture that sort of telemetry and see, when things were novel versus...but they sucked at it, it didn't really work that well.
Andrew Morris:
A) they weren't very good at it, you're right; B) there were there were no- technical, economic reasons why they weren't doing it, right? Because you're gonna have a massive collection bias when you do this, when you when you try to take this approach only with your own with your own products. Because you're limited your data size, your pool is limited to your existing customers. Which means that you're only going to be able to do this effectively with people who have implemented your products. So for us, we're integrating with every single product ever. You can use this with any SIEM that you want to you can use this with any IDS, you want to you can use this with any SOAR platform that you want to. It's completely fine, we'll play nice with any product you have. And that gives us a huge advantage of data that we can use to enrich alerts against.
Patrick Gray:
So do people mostly use this for the clickthrough context, or for the elimination?
Andrew Morris:
The way that by and large GreyNoise is used by most people is, I'm seeing this thing, let me see what GreyNoise is saying about this.
Patrick Gray:
So, it's that context piece.
Andrew Morris:
Exactly. Separately, there's an undertaking, as you can imagine, like getting this wrong is really…it would be it's really bad. Our false-negative situation is something we really, really want to avoid. So we try to stick to the facts as much as possible and say, “This is what we saw,” with as much explainability as humanly possible. And we try to take a very kind of cynical view on all of our analytics that we apply, because we don't ever want to be wrong. And so as part of that, as we're building out our confidence in our ability to really tell people you don't need to care about this thing, or you should deprioritize this thing or whatever. Eventually, what we'd really like to be able to do is also save people money on their SIEM bills.
Patrick Gray:
Yeah, by excluding those things from going into the storage in the first place. But talk about perverse incentives. I really wish SIEM providers didn't bill by alert volume. It's just so dumb.
Andrew Morris:
It's insane!
Patrick Gray:
Ot is, but I mean, it's an opportunity for you. and that's fantastic. So speaking of opportunities for you, what's your typical customer look like? I mean, where are you having success? Typically, I'm guessing, you know, a product like this is going to find a home in companies and organizations that have SOCs, right? So it's going to be large enterprise.
Andrew Morris:
Yeah, exactly. So I mean, if you have a SOC, if you have a SIEM, you can be a GreyNoise customer.
Patrick Gray:
Yeah. And I'm guessing also MSSPs. or less so?
Andrew Morris:
Absolutely, yeah. So we do really well with MSSPs because the the more efficient an MSSP is, the more money they make.
Patrick Gray:
Yeah, because they're all about margins. Right?
Andrew Morris:
Exactly. It's all margins, a pure margin game, right? And so we sell to quite a few MSSPs to help them provide better service more efficiently to all their customers.
Patrick Gray:
Now, Andrew, before we go, I understand that you actually have a free version of this too.
Andrew Morris:
That's exactly right. So for anybody who, for XYZ reason, you don't want to become a customer, you can't become a customer, but you want to try GreyNoise out, you want to actually get a feel for it, you want to try to get some value out of it or see like, does this thing work? Does this not work? We have a free web interface that anybody can use, you don't have to create an account to use the free web interface. You can do lookups. As soon as you want to use GreyNoise in your SEIM, you can become a customer. But if you just want to do lookups, use the web interface.
Patrick Gray:
So you're just charging for the API stuff.
Andrew Morris:
Exactly.
Patrick Gray:
Alright. Andrew Morris. Very simple idea there. And yeah, I mean, I think it's cool. And obviously GreyNoise is a bit of a darling actually in InfoSec. Because you frequently see people singing its praises on the Twitters, you know, smart people too. So congratulations on the success you've had so far. And I wish you all the best for the future. Cheers.
Andrew Morris:
Thank you so much, Patrick. Thanks for having me.
Patrick Gray:
That was Andrew Morris of GreyNoise there. And yeah, you can just go to greynoise.io and throw an IP at it if you want to check out what they do, and you only pay if you want API access. It's funny, right? Andrew told me that there's been a few people who've put crappy scripts on, you know, like paste sites, you know, here's how you can use GreyNoise without an API key. And they've done some botchy script that stuffs it into the web form. But yeah, don't be cheap. Go give him some money. If you want API access, just maybe pay for the API access, but you can check them out a greynoise.io and see what the service is all about. And maybe that's a good way to dip your toe in.
