Focus on the alerts that matter with Panther and GreyNoise

TL;DR

Starting today, all Panther customers have out-of-the-box access to GreyNoise to improve their detection fidelity.

SOC teams are overwhelmed

SOC teams are slammed today, and alert overload is a huge part of the problem. Too many security tools simply produce large quantities of data to be analyzed–without contextualizing potential threats–and false positive rates up to 50% are the norm. This puts a huge burden on analysts tasked with researching or investigating every alert that gets generated.What’s driving this situation for SOC teams? A couple of thoughts:

The SIEM is struggling

A SIEM platform is one of the primary tools detection and response teams use to secure enterprise environments. But traditional SIEM solutions make it complex and difficult to create detections that deliver high fidelity alerts. Faced with an unending volume of low quality and false alerts, many SOC teams end up getting behind, taking shortcuts, and often simply purging un-reviewed alerts. On the human side, alert fatigue sets in, effectiveness falls dramatically, and the analyst team starts to churn, making an already challenging talent situation worse.

Threat intelligence says “the sky is falling”

The traditional approach to threat intelligence is to identify more and more (and yet more!) threat indicators that are “suspicious”. Often, these threat indicators are low fidelity, and come with very little context for a security analyst. The result - too many false positives and alerts about events that turn out to be harmless or irrelevant to the organization.

Internet background noise is driving alert storms

Every machine connected to the internet is exposed to scans and attacks from hundreds of thousands of unique IP addresses per day - we call this “internet background noise”. Some of this traffic is from malicious attackers driving automated, internet-wide exploit attacks. And some of the traffic is benign activity from security researchers, common bots and business services. And some of it is just unknown. But taken together, this noise triggers thousands of events requiring human analysis.

Helping SOC teams spend less time on noisy alerts, and more time on emerging threats

To address this challenge, Panther and GreyNoise have partnered to provide integrated, out-of-the-box threat intelligence in the Panther threat detection platform that helps teams intelligently reduce the number of alerts in the SOC, while prioritizing emerging threats.

Unlike other threat intelligence vendors, GreyNoise is solely focused on providing high fidelity data on IPs that are actively scanning, crawling and attacking the internet. By classifying each IP by intent (benign, malicious, or unknown), GreyNoise and Panther help SOC teams craft detection and alerting logic that intelligently rules out internet background noise, and prioritizes mass exploit and targeted activity.

How does it work? What are the use cases?

The Panther-GreyNoise integration provides Panther customers with a free, out-of-the-box integration of GreyNoise data sets. All alerts in Panther are enriched with GreyNoise IP data, and detections can be quickly and easily written using the GreyNoise python library.

There are several key use cases for leveraging GreyNoise enrichment data within Panther:

Reduce noisy alerts

GreyNoise provides context on noisy IP addresses that scan the internet. Panther customers can build detections that evaluate the “intent” of a scanner IP address (benign, malicious, unknown), and then simply suppress or de-prioritize the alert. Using this approach, GreyNoise customers have been able to reduce their alert volumes by 25% or more.

Accelerate investigations

One of the key first steps a security analyst often takes in triaging an alert is to research the IP address to determine if it is malicious. With GreyNoise data enriching the IP addresses associated with an alert, the analyst can quickly “rule out” IP addresses that are known to be benign or from common business services like Microsoft Update, Slack or Zoom. This can save significant time on manual research. In addition, GreyNoise provides valuable context on known malicious internet-wide scanners that help speed up the triage process. One GreyNoise customer is saving one day per analyst per week, giving their team 20% more capacity to focus on true threats.

Identify and prioritize activity from mass exploitation attacks

Mass scanning and exploitation attacks have surpassed phishing attacks as the top attack vector, and SOC teams are often struggling to respond. Huge “celebrity” vulnerabilities like Log4j/Log4Shell, OMIGOD, and ProxyShell have forced security teams to scramble to block attacks, identify vulnerable systems, do emergency patching, and hunt for compromised systems while “under the gun”. With GreyNoise data, organizations have real time visibility into all the mass exploitation IPs targeting a specific vulnerability, providing critical actionable data during an active attack.

How can I use GreyNoise in my Panther detections?

Packages

GreyNoise Basic is natively integrated at no extra charge for all Panther customers, and includes a subset of the GreyNoise NOISE and RIOT data sets. This means Panther customers can quickly and programmatically identify the following:

  • IPs that are “internet background noise” - IPs that scan, crawl and attack the entire internet (NOISE dataset)
  • IPs that are associated with common business services - dynamic IPs associated with common internet services like Microsoft Update, Slack and Zoom (RIOT dataset)
  • Intent - whether each IP is showing behavior that is benign, malicious, or unknown
  • Name - name of the organization that owns the IP address
  • Last-Seen - date of the last observed behavior on the GreyNoise Sensor Network

GreyNoise Advanced provides full context details from the NOISE and RIOT datasets, supporting advanced detections, richer investigation context, and faster threat hunting. The data includes tags, CVEs, geo-data, first-seen/last-seen dates, ports and protocols scanned, web paths, user agents, and more. GreyNoise Advanced requires an additional license - please contact your Panther or GreyNoise representative for more information.

The GreyNoise data sets are included as Lookup Tables in the Panther platform, and GreyNoise NOISE Basic and GreyNoise RIOT Basic are accessible by default.

Python Library

GreyNoise and Panther have developed a python library for GreyNoise data, to simplify writing detections. This library makes it quick and easy to add detection logic for GreyNoise data, so you can add detections like greynoise.is_noise to evaluate IP behavior.

Check it out!

We are extremely excited about this integration between GreyNoise and Panther. We’ve had numerous customers and prospects ask us when we would be able to deliver this, and the answer is NOW. To get additional information about the integration, check out these resources: