Breaking Down Gray Alerts: What Do These Mean for Businesses?

Unknown threats trigger gray alerts from endpoint detection and response (EDR) tools on a day-to-day basis. But what is it about these gray alerts that warrant a deeper look and how can MDR help?

In the world of cybersecurity, things that are black and white are definite, clear-cut, and recognizable: They are either malicious or benign. And for decades, the security landscape consisted of both the known good and the known bad — which have been easier for security teams to monitor and make sense of. But the threat landscape continues to expand and evolve, and what’s black and white are now accompanied by a large number of the ambiguously gray. Unknown threats trigger gray alerts from endpoint detection and response (EDR) tools on a day-to-day basis. But what is it about these gray alerts that warrant a deeper look?

The gray alert problem

A gray alert is created by a cybersecurity detection tool when it comes across a file or an incident with an undisclosed behavior or characteristic. For example, a detection tool may issue a gray alert for a certain application that it detected to register a potentially unwanted behavior. It could be that because one of the organization’s teams finds it useful and is willing to ride out the application’s effects — such as annoying pop-ups or advertisements — the security team may opt to not look into the application. However, the advertisements this application displays may be infected with malware, which could infect endpoints. This is why an organization’s security team should analyze a gray alert in order to ascertain its true nature and determine what steps to take.

In today’s threat landscape, there is an abundance of sophisticated threats that are difficult to detect by traditional security solutions. Despite this, certain aspects of such threats — such as bundling or information collection — can cause gray alerts to surface on EDR tools. And delaying looking into gray alerts or ignoring them completely can lead to advanced threats entering the system undetected. These undetected threats can function as droppers or loaders for other more insidious threats, such as ransomware, to infiltrate a system. Ransomware is a destructive threat, which if it manages to sneak into a system, wreaks havoc not just on enterprises of various sizes but also on government offices and, recently, even broadcast entities such as The Weather Channel. Undetected threats and unanalyzed gray alerts can leave organizations vulnerable to security risks that can possibly lead to financial loss, operational disruption, and reputational damage. This is why, despite facing budget constraints and a global lack of cybersecurity talent, organizations cannot afford to be without strong security tools and expertise.

As threats become trickier, employing sophisticated detection evasion techniques, the determination process for gray alerts is increasingly becoming more challenging. This is where a security solution that uses machine learning technology — which allows the accurate identification and blocking of brand-new or unclassified threats on an evolving rule set — is at an advantage. Though machine learning is a strategic and helpful cybersecurity tool for threat detection, it is best partnered with other technologies to create a strong, multilayered security posture. Advanced security solutions like EDR tools that use machine learning are most effective when helmed by security professionals who are able to demystify and connect gray alerts to other network events. In order to fully protect a system, gray alerts from various attack vectors such as network, server, and email, should be correlated and analyzed.

But what happens when gray alerts come at great volumes?

So many gray alerts, so few cybersecurity professionals

Cyberthreats are not only becoming so complex that they are able to bypass traditional AV systems; they are also becoming more abundant. An organization’s EDR tools can generate a large number of gray alerts on a day-to-day basis, warning the security team of these benign-until-proven-malicious attacks. However, when the volume of gray alerts is too high, cybersecurity teams may find themselves overwhelmed with the sheer number of gray alerts they have to check — if an organization has its own cybersecurity team to check gray alerts, that is.

The cybersecurity skills gap is a growing concern for nearly 50% of 1,125 chief information security officers (CISO) who responded in an Opinium survey commissioned by Trend Micro in 2018. Companies are finding it harder to find cybersecurity professionals who can join their team to help thwart cyberthreats. In fact, 54% of U.S.-based CISOs who took part in the survey disclosed that they have difficulty hiring skilled professionals.

According to ESG’s “The Life and Times of Cybersecurity Professionals 2018,” 41% of the study’s respondents shared that instead of hiring more experienced cybersecurity professionals, their organizations have had to recruit and train junior personnel. Not having senior cybersecurity pros within an organization may prove to be a disadvantage, as advanced tools are more likely better utilized by those who have experience working with them and know how to make the most out of them. The same ESG research points out that 47% of respondents admit that the skills gap has rendered their staff unable to fully utilize security solutions and technologies to their full potential.  

But even if an organization has experienced cybersecurity staff at its disposal, it is not immune to the skills gap. A whopping 66% of respondents state that their existing staff experience heavier workloads due to the skills shortage. And so, even if they have knowledgeable people on board, they become overextended and overburdened with multiple tasks — including pinpointing which gray alert to prioritize for analysis, among the vast volume they are inundated with on the daily. This results in alert fatigue, which happens when security professionals end up tuning out alerts due to a constant deluge of notifications.

Managed detection and response (MDR) helps organizations by providing 24/7 alert monitoring as well as threat detection and response capabilities from experienced cybersecurity professionals who are able to maximize security solutions to an organization’s advantage. An MDR team provides an organization valuable insight on how multiple gray alerts are untangled and correlated into a single non-gray threat. MDR services offer organizations efficient advanced threat intelligence expertise at a cost that’s less than what is associated with having an in-house security team, thereby helping ease the skills gap problem as a bonus.

Written by Trend Micro, posted in Threat Landscape, MDR