Supriya Mazumdar:
Yeah. Fantastic. So welcome everyone. This is the second session of "How I Use GreyNoise". We're doing this in front of a live audience, which is really exciting. So it's nice to see all of your faces or pictures and names listed above for us. Yeah, you guys are in great company. We have an amazing team here with us today. So just some more background. My name is Supriya Mazumdar. I'm the community manager here at GreyNoise. I've been here for about seven months now, which is insane because I feel like a total veteran. Long story short, this "How I Use GreyNoise" session started a few months ago, the idea is to spotlight GreyNoise users and how they use our product. So without further ado, I'm gonna pass it off to Paul and Grant to introduce themselves.
Paul Misner:
Sure. Good afternoon, everybody. My name is Paul Misner, I'm a SOC 3 analyst with Seculore. Our company provides 24/7 monitoring, detection and cyber analysis for clients in over 25 states. We use proprietary technology that's patented and manufactured by us and a team of dedicated analysts look at our data. Core focus for our company is 911 operations, and we're proud to play that part keeping emergency assets safe.
Grant Lorello:
Hi, everybody. My name is Grant Lorello. And I am one of the lead engineers here at secular I've been working here for five years. And I helped design and create the original visualization tool that the SOC analysts use to do their analysis. And I helped build the GreyNoise integration with our system.
Supriya Mazumdar:
Awesome. And so how long have you guys been at Seculore?
Paul Misner:
I've been here two years.
Grant Lorello:
I've been here five and a half years.
Supriya Mazumdar:
Awesome. And so how long have you been using GreyNoise? Tell us a little bit about kind of how you came across us? And then yeah, we can go from there.
Paul Misner:
Okay, sure. I'm actually the person who found GreyNoise when I was SOC 2 analyst, and I found it organically. We were looking for a solution that did what GreyNoise did. We have a tool, which is essentially a threat feed from multiple locations, where we funnel IP addresses from our clients to identify any types of vulnerabilities. When I first started, we had to manage or do research on his vulnerabilities one at a time. And it was very, very, very time consuming. So the next step was, I found through research that GreyNoise allows for bulk uploads. And that using that process, it could save us considerable time—probably about eight hours a week using that. And it was really viral within our community or within the community here; other analysts looking over my shoulder were liked, "What do you got, that looks really cool." They started using it. And then pretty much everybody started using the tool here. So I talked to engineering about it, and we had a conversation. And then it basically became something that grew and integrated, with became a paid customer and start working with Brock.
Supriya Mazumdar:
And I assume all good things, right?
Paul Misner:
Yeah, I mean, when you have a bad thing with GreyNoise, you're very responsive. So like every company that's got emergent technology, sometimes your technology gets ahead of the documentation, right? But the fact that you have a really great inside rep to help us through that type of thing has really covered that for us.
Supriya Mazumdar:
That's always great to hear. I'm sure. You know, we definitely like to put our customers and our favorite champions in the hot seat, so I will always appreciate the kind words. And so, I guess for background for folks that are joining us, what Paul and what brands are going to be kind of going into like a deeper dive of is our is our primary use case, right? This is increasing SOC analyst efficiency, and you heard Paul kind of get into some of that. But the idea right is to use GreyNoise to enrich datasets so that analysts aren't spending eight hours a day triaging like a single alert, are able to meet their SLA times, are able to turnover, you know, tickets quickly, efficiently and free up for more like active threat hunting, right? Like, it's a tough job. I'm sure you guys know that better than anyone else, you know, just how much burnout can come from being an analyst and being inundated with so much noise. So, that being said, I'd love to talk a little bit more in depth about what a GreyNoise-centric investigation looks like. Talk us through like, the different integrations you have or anything like a little bit more detailed like that?
Paul Misner:
Listen, I want to pass it over Grant, because I kind of stopped the story at the first serve, OK? When once we started talking to engineering, we started looking at your API. And we say, this has a lot of potential for integration in our product. And then two things happened at the same time. We started using the product so much that we were probably a nuisance to you, and we felt it was time to pay for it. And so we went through a budgetary process with your team. At the same time, we started testing the integration API, and I'll let Grant speak to that part.
Grant Lorello:
Yeah, so the API was very easy to work with. Our original implementation was a little bit, you know, rough around the edges as the initial API integrations tend to be. But it worked very well. And then after the project changed hands a little bit and ended up in my lap, I ended up talking with your representative in order to help improve the integration process, and he was extraordinarily helpful in streamlining the refactoring of the integration process significantly, and it's a lot faster, it's a lot more efficient now. And the entire project was very easy. And so much of that was due to the feedback that we got from our contacts at GreyNoise.
Paul Misner:
And not talking about the productivity, like a rough rule of magnitude is for every 100 IPs that we were investigating prior to GreyNoise, we're probably investigating about six now. So it is an increased productivity, and actually gave our analysts more time to do an analysis on things they needed to do. So we could focus on what was necessary. And GreyNoise served the purpose that it was intended to: stripping out a lot of the noise.
Supriya Mazumdar:
And so I guess, were you guys surprised when you first, you know, got GreyNoise integrated? Was that like, expected? I guess I just love to know, expectations versus reality with GreyNoise.
Paul Misner:
Yeah, so doing it manually—It was it was combination of pulling things off on the website, and then doing integrations with Excel and with a lot of macro support on the back end. And that was fantastic. But we were able to go so much further with the integration of the API, specifically with sharing information among different analysts for the same IPs.
Supriya Mazumdar:
Yeah, no, that totally tracks. And I guess, of the type of like data that you're getting, like IP enrichment. Was it the was it the noise value, like the noise Boolean true or false that was the most valuable? Was it the hash data? I'm curious to know what was the most valuable, or was the most valuable.
Paul Misner:
The number one was noise, removing that information. But there's also a significant amount of threat research in your feeds. And we we often line that up against the threat information that we have gathered at Seculore to to correlate and kind of triage, and most of the time we're in alignment. Sometimes we see some differences and communicating that over to the Slack channel with GreyNoise has been very helpful as we we'd kind of view each other as partners. There's times I'll bring intel to them. There's things that you wouldn't see, for example, like feeds that are signed up for by government sites. They have to be registered for. We see them because we have a lot of government clients; however, we want them taken out as false-positives, and we work with GreyNoise to have the integration of those IPs, for example.
Supriya Mazumdar:
Yeah, for sure. And do you guys utilize RIOT at all?
Paul Misner:
Yeah, RIOT is fantastic. Because it just takes out a whole bunch of IPS quickly that we realize that, the thing that RIOT is if you do a false-positive on a RIOT IP, it could be consequential to the availability of a customer site. So it's extremely helpful.
Supriya Mazumdar:
That's awesome. So I guess that being said, with with all that free time, and you know, less noise hitting your your SIEM alerts, what is the next step? Or like, what's the next level of maturity using GreyNoise or beyond it? Or, you know, thinking ahead?
Paul Misner:
That's a great question. So GreyNoise solves the problem for us with the noise and also with the sharing of data between the analysts. And Grant, do you want to talk about this, like the IP notes functionality?
Grant Lorello:
I mean, it's more of a use case.
Paul Misner:
So the other side of that then, what we're trying to incorporate now is, once the analyst has looked at the data and made a determination on it, we have a gap in sharing that quickly among the other animals. And we've just come out with the first iteration of the tool that does that once an analysts comments on a particular exchange, that comment gets put into our management console. And also, in tools that the other engineers can look at and make a determination. A lot of time, these engineers are actually seeing the same IP on multiple sites that they manage, right? So if they're doing an analysis, they they now have the ability to enter once and have all the other fields taken care, of all the other analysis fields taking care on other sites. This is what the first generation just came out. It's proven really well, it's proven good enough that we're asking more questions and asking for more features. So that's an area of growth for us.
Supriya Mazumdar:
Yeah, extremely helpful. And so I'll even put you on the spot now. Is there something that you'd like to see from from GreyNoise in the future? Is there more data that we can do, more transparency? Is there anything that you as a, you know, SOC team would really benefit from us?
Paul Misner:
You know, to be honest with you, you have a really good set, like the fact that you have people on the Slack channel, like involved with us to take care of things that are a little bit ambivalent, or there's a difference between sides, or your team gathers some intel that we didn't know. A funny thing is, we did some research on some scanners that we were looking at. And I actually reached out to the company to say, "Can you tell us a little more about the scan? Turns out, it was you. It was GreyNoise doing the scanning, so we had a little conversation about that. But what you're doing has been absolutely great. And I I can't think of anything else right now that we need, but we will.
Supriya Mazumdar:
Add anything?
Grant Lorello:
No, I can't think of anything. So, because I really just did the integration part of it. So I'm not so much of an end user as the mediator of letting the end user use the product. And it was so simple to use that I can't really think of anything that would improve upon the integration process.
Paul Misner:
Yeah, the analysts are still using the manual tools. They're using them. If they have, like if we're seeing something really unusual at a specific customer that involves a lot of IPs. For example, we have one customer: all of a sudden, we're seeing a bunch of DNS coming in. And it's like, we want to quickly check what's going on that that probably doesn't make sense to throw it at the API. So we use the manual tools to do that.
Supriya Mazumdar:
And I don't know if you mentioned, but remind me. So you guys said SIEM integration. Did you specify which one? Are you comfortable specifying?
Paul Misner:
No, no, that's fine. It's actually work, we have a proprietary tool that we use, some of the features of SIEM some of the features of other security technologies. And that is pproprietary patent, our technology. And it offers a lot of functionality that you don't see in typical SIEM but we don't sell it, we just resell the services.
Supriya Mazumdar:
Gotcha. And so like, let's talk about volume. So, you know, regardless of of SEIM tool, how many alerts do you guys see per day? Are you like processing? Like, how big is your team? Again, at your discretion, just like wanting to kind of give people an idea of scale?
Paul Misner:
Yeah, absolutely. So I, when I started two years ago, our SOC team was three and a half people, we had one part-time person on there, and we our hours of operations were 5am to 1am. Now we're 24/7 and we have over 20 analysts working on the team. So there's been a lot of growth, and taking on the clients that cause us to scale has also resulted in the need for more efficiencies, like GreyNoise, so we recently incorporated it. It's funny because I just asked Grant's boss for this number yesterday, about how much how many transactions are on our ingress, I don't have a number. But we have around 100 customers, and many of them have multiple versions of Paladin, our end appliance. And the sizes range from very closed networks that don't have a lot of public IP address traffic. Which if we do see something, it could be very, very, very important. Could take down a 911 center, so lives are at stake. And some of our other customers have traffic on the internet, that we're monitoring in front of them. Usually those will have a lot of IP traffic that's coming in for the analysis.
Supriya Mazumdar:
From, I guess, a ratio perspective, and you'll have to forgive me, it's been a while since I sat in a SOC myself. How many of these specifically is GreyNoise is helping with? How many of these are Tier 1 alerts versus, how many of them are like GreyNoise hasn't seen this before? And you know, maybe this is something you should actually worry about?
Paul Misner:
So that's a good question. We have in our alert system approximately 25,000 rules. And some of them are tailored specifically for the clients. Then, as part of that, I guess you might want to answer that they're asking a different question, right? It's like how much we don't have to deal with. Because your tool helps us to review a lot or take out a lot of things that we were escalating. So that's where it's strength is. And a whole lot I mentioned with the checks before, it's doing about 4% or 6% of deep analysis of that we were doing before.
Supriya Mazumdar:
Yeah, no, that's That's great to know. And frankly, that time save is extremely valuable, right? Because even if 1% of your attacks are, you know, unknowns or targeted or non-opportunistic. If you're being gummed up by internet scanning, it's not valuable, or it's easy to miss.
Any interesting attack, anything crazy or weird or quirky, any fun stories?
Paul Misner:
I've been with a customer, we started seeing all this really unusual traffic going on and was coming over an unusual TCP port. And I called them up and I said, you know, I'm doing some research on this. And I said, this is nothing I can see it's a game, right? It could be an Android thing or something going on? And he's like, yeah, that's my phone. Sometimes we'll see in a second that something's being compromised. And one customer it used to be pretty consistent when they were running a test in lab. So we would call up and see stuff. Another thing we recognized with a customer with your help was we had a device that just started spewing out all this UDP traffic or getting inbound UDP traffic. And a lot of it was malicious. And it turned out that, without permission, somebody had put a router, like a home-grade router, in a conference room, where, you know, top-level people meant to have conversations. So we were even able to quickly identify and resolve that.
Supriya Mazumdar:
I mean, I'm sure there's no no shortage of crazy things, especially from from your clients' perspective, which I'm sure is proprietary. But, no, this is great. I think we've touched on a lot of like, different topics. And we've highlighted a lot of the things that GreyNoise is capable of, which is integrating, reducing time and workload for analysts. You know, I'd love to know what I guess are key takeaways. And again, if people have questions, you can drop them in the chat, and we'll be happy to answer them. You know, as we're, we're moving towards like FAQ. I'm also going through my list of questions, too. So I'd love to know if anyone has anything specific that they can ask either Grant or Paul. But talking about success metrics, you've already told us that you went from like 100 IPs to to six, which is just insane numbers and really good from that perspective. But I guess, speaking more high-level strategic, what has this meant for your organization? And even speculating, what do you think this means for Seculore?
Paul Misner:
So yeah, in a SOC, there's always a tradeoff between productivity (getting the work done) and doing quality work, right? Actually doing serious analysis on a customer site. And the quality of the work. This is great, because it's helped both quality and production, right? The quality of the work that we do is better because of the product, right? And it's also sped up our production time, the ability to get out reports and things like that. Absolutely.
Supriya Mazumdar:
So we have quite a few, quite a few audience questions, which I'm happy to get through. So the first one we talked about is the core use case, right? But we bring this as a secondary use case, which is emerging threats and identifying emerging threats. So this is kind of geared towards this. So how about more manual research and emerging threats? Are you using it to track actively exploited vulnerabilities at your customers? It's a great place to talk about tag data if you guys are using that, or not using that, and why not?
Paul Misner:
OK. The answer is yes. So, again, our tools do a lot prior to GreyNoise. Adding GreyNoise then provides us with with additional verification and visibility into the attack. I do love the way you have the attacks organized on the website and the ability to search for them. Because sometimes we will just look and see, OK, general patterns on an attack that's happening among your client base. That's something that we really don't have the ability to capture in-house, so getting a general trend throughout the world is something you do that we don't do.
Supriya Mazumdar:
That, yeah, totally tracks. And I guess from a enrichment perspective, and maybe Grant, you might be able to speak a little bit more about your proprietary integration. But are you guys able to see that tag data enriched? Or are you opting for Visualizer use to go further into that?
Grant Lorello:
I'm sorry, could you repeat that one more time?
Supriya Mazumdar:
Yeah. Are you guys able to see tag data in your enrichment in your SIEM? Or are you guys opting for Visualizer, like the GreyNoise Visualizer, to see like tag data.
Grant Lorello:
So we do add the tag data to part of the integration. Much of the other metadata that hasn't been integrated fully into, into our SIEM quite yet, and so there is still, I'd say, a pretty significant amount of, I'd have to ask Paul about that a bit more, of going to the Visualizer to get a little bit more in-depth data on any particular hit. The majority of what the integration does is simply is the GreyNoise noise trope, where we just rule out a significant portion of hits that we would need to otherwise manually verify. So I guess this could kind of lead a little bit into the process. So our proprietary tool starts with just the hardware, which we build in-house and install on the the client's network, which passively listens and gathers data. That data has been processed through a couple of stages of metadata, and then uploaded to our server in the cloud. And that's where it actually gets checked against our rule set and the GreyNoise integration. So after it matches, and we see some hits, it will trigger an alert. And then we can cross-check that alert with the GreyNoise integration to see whether that was actually an alert worth looking into. And so it significantly reduces the amount of time that they actually spend digging into otherwise benign alerts.
Supriya Mazumdar:
That's super helpful. And it seems like you've touched on Brock's question a little bit about the setup. I guess I'll even ask the second part of this question: Any stumbling blocks that you know you had to work through? You mentioned working with Brad Chiappetta. Brad is our integration specialist at GreyNoise. He is a wizard and has set up all of the, you know, we have 20+ integrations with TIP, SIEM/SOAR tools, open source tools. Yeah, that's just a plug for Brad. He's awesome.
Paul Misner:
Every tool like open source tool that I see it's like "GreyNoise API". It's just fantastic. We love that.
Supriya Mazumdar:
The goal is to be everywhere. Yeah, but I guess getting back to originally Brock's question, any, any stumbling blocks, any troubleshooting that needed to happen?
Grant Lorello:
Yeah, um, there weren't too many stumbling blocks. Obviously, there was just the standard ones that you run into in any sort of relevant process. I guess the largest one was just a an initial misunderstanding on our part of how the to best use your API that stemmed primarily from just really just misreading of documentation as well as a little bit we there was that brief period of time where the documentation (I think Paul already touched on this a little bit) the documentation was a little bit behind with the live version of the API. But you guys solved that in ~5 minutes. Talking with Brad, we figured that out really quickly and he even gave me a kind of a preview of what the documentation was going to look like before it can actually went live. So it was, again, it was a very smooth and relatively painless integration process.
Paul Misner:
I'd like to answer the same question from a business side. One of the things that I'm strongly going to recommend is that you coordinate your testing process with sales, right? As far as dealing with things like API keys, limits, explorations, we had to go back to the well a couple of times because we had to, because the API key ran out. We had other projects going on, and this had to stall for a little bit. So, we stall the project, get back to it—uh, API's expired, right? So coordinating that with your sales rep is important. And to help the sales rep, I'll tell you, begin the internal sales process while you're testing, because it's going to take some cycles to get approval through management. This particular project went relatively fast for us because we could qualify and quantify what the product was giving us. But it's important that you begin that process to 1) get like a tentative go-ahead from management to say, spend the time to investigate API incorporation; and 2) when you've completed it, that there's a PO cut to continue.
Supriya Mazumdar:
Oh, here's a here's a tough question. How did you quantify that value? Like, how did you make that internal case?
Paul Misner:
Well, the first thing was, well, I was doing 40 hours worth of work in 32. Alright, that meant one of two things, right? I could do more analysis, or they could hand me more reports. And I was blessed that the former is what happened, I was able to do more quality analysis, and then that spread through the team. And this just became more than something that was desired, something that was felt to be necessary for our team, right? So it was a very sneaky process on their part. You slowly got your claws into this organization to the point where we couldn't be without.
Supriya Mazumdar:
We love to hear that. No, this is great. And for the audience questions, we're happy to keep answering them. Otherwise, I'll just kind of like leave it open for final thoughts. And if folks want to stay on after we stop recording, I'm happy to answer questions specifically about GreyNoise and speak in much greater detail about SIEM/SOAR integrations, that type of stuff. But yeah, so any final questions from the audience? But meanwhile, Grant and Paul, I'll kind of ask you for final thoughts.
Paul Misner:
We're here, this is not like a paid endorsement or anything. We've really enjoyed working with your team. I hate it when the API shuts down. That's not a good thing. When you changed your licensing, that was a little problem for us, but it actually served to move things a little bit here. But the relationship has been great. It's been productive. And I look forward to continuing it.
Grant Lorello:
Yeah, from my perspective, so we're not fully integrated into every single aspect of GreyNoise, that is, fully integrated every single aspect of what we do. And what I find myself, just as a kind of engineer brain going through, is I get very excited about what new things that I could use the integration to do. Like how can I better represent the data that we're seeing through the lens of GreyNoise's extra tags and all the other information that is provided through through the integration. And I'm very much looking forward to progressing that integration fully into more parts of the system.
Supriya Mazumdar:
Yep, that's awesome. And there is no shortage of integrations coming our way. In fact, we are thinking pontificating over ServiceNow integration. I don't know if that's something that you guys use or if anyone here uses, but we're actually right now soliciting feedback for what a ServiceNow integration would look like. So if you have strong opinions or any thoughts on that at all, we'd really appreciate you reaching out to to me. But fantastic! Well, we can go ahead and wrap up the recording. Again, we can stay on after, but to those watching the recording, my name is Supriya, this has been the Seculore session of "How I Use GreyNoise". If you are interested in doing your own session, you can reach out to me at community@greynoise.io. Yeah, stay tuned for more sessions.
