Avoiding Security Alert Hell: Introducing Squyre

Ask anyone who has worked in Security Operations and they’ll tell you it’s hard to get right.

“It’s hard to get right” — Someone in Security Operations

In most organisations, unrelenting alerts bombard a team of analysts around the clock, telling them of bad things™ that may have happened, and challenging them to work out whether that’s true or not (and what to do about it).

Sometimes it’s not even a team on the receiving end — it’s the one poor security hero trying to single handedly defend the organisation. Not fun; I’ve been there. 😢

Today I release a little tool that I hope will, in some small way, help my fellow security heroes with this very predicament!

Alert Fatigue

Before we jump into solutions, let’s explore the problem a little more. This common situation leads to what is generally referred to as alert fatigue.

Alert fatigue causes a few main problems for Security teams:

1. Poorly written or maintained detections (or alerts) generate too much noise. There are too many alerts to deal with, so legit bad things™ can be missed.
2. Triage (is this alert bad or not?) is often a manual and time consuming process requiring the analyst to pivot to a number of other sources to help with their decision. This requires a high level of brain power, and is much harder to do when multitasking other activities. Again: stuff get’s missed and it’s not fun.
3. Analysts are people too — after a reasonably short time dealing with a repetitive, unrewarding and never ending stream of alerts, they burnout. They leave the team (or the organisation) to find a better life. Hence begins the process of replacing them, only to be back here again once the next analyst gives up.

The Answer

Detection Engineering is the area of Security that is focussed on building an effective capability that can detect cyber threats in this way.

Good Detection Engineering stops alert fatigue, and requires a combined focus across people, processes and technology. Ryan McGeehan’s seminal 2017 post covers a lot of what good looks like, and is a genuine masterpiece!

It really is a very good article. Go read it, I’ll wait for you here!

https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856

Welcome back! 👋

So as you now know, one aspect of good Detection Engineering is to provide as much relevant detail as possible in your alerts, to avoid the issues we described in problem 2 above. From Ryan’s article:

“You should decorate alerts. This describes a standard of detail where an alert brings additional information to the analyst without requiring extra work.”

TL;DR. Alert decoration is good. You want it.

Introducing Squyre

Now that you know all about it, I know you want alert decoration for your team. There are commercial products that will help you do this, but spoiler alert: they are not cheap. Like, not at all. 💰 💰 💰

That’s not fair! Smaller security teams with less budget don’t deserve alert fatigue either!

This upset me, and I wanted to change this.

So I wrote Squyre, to put good alert management within everyone’s reach, regardless of their company’s size or budget.

It’s a free and open source project that runs on AWS, consumes alerts from your SIEM, and decorates them with information that helps security teams do what they do, but quicker and easier.

Basically, it extracts IP addresses, domains, hashes etc. from the alert body, looks them up on various services, and then adds the results to the alert in your ticketing system (e.g. Jira).

What does it look like? Well, for an alert containing IP address “1.2.3.4” and domain “testdomain.com”, like this!

Squyre noted: "Additional information on 1.2.3.4 from GreyNoise:
Greynoise believes 1.2.3.4 is benign.
Noise? false
In the RIOT database? true
Last seen 2022-05-11.
More information at: https://viz.greynoise.io/riot/1.2.3.4"
---
Squyre noted: "Additional information on testdomain.com from Alienvault OTX:
Alienvault OTX has 1 matches for 'testdomain.com', in the following pulses:
NewDom-3-20210528
More information at: https://otx.alienvault.com/browse/global/pulses?q=testdomain.com"

Utilising serverless AWS services like Lambdas and Step Functions, it does not require any more than an AWS account to run. Of course, you do also need something to generate alerts for you (e.g. a SIEM), but you probably already have that. At any rate, it’s really cheap to run.

Even better, with a nice setup wizard and the magic of CloudFormation templates, it is also really easy to spin up and try — most of the hard work has been done for you!

You can check it out at: https://github.com/gyrospectre/squyre

Or take a look at the docs at: https://gyrospectre.github.io/squyre/

In Closing

I hope some of you find Squyre useful; or at least, interesting enough to inspire you to go check it out. It’s a side project for me, but I hope to add more decoration functions as time permits — let me know if there’s something you would like to see added!

I’ve focussed this post on the reasons Squyre exists rather than how it works; but do let me know if there’s interest in a follow up article on deployment etc.

Now what are you waiting for? Go save your security team from alert hell!