Cyber security teams are under tremendous pressure to safeguard their IT infrastructure and business data against the escalating threat of breaches. Even as organizations increasingly look to automated security tools to deal with threats, the downside to these cannot be ignored—for they generate a high number of false positives.
A false positive is a false or erroneous alert that is generated and categorized as malicious even when the underlying activity is just a minor spike from the normal, or a minor deviation. A January 2015 Ponemon Institute report stated that enterprises spend $1.3 million a year dealing with false positive alerts, which translates into around 21,000 hours of wasted time. The study, which surveyed more than 600 IT security enterprises in the US, found that organizations receive around 17,000 malware alerts on a weekly basis, of which only 19% are worthy of attention.
This high occurrence of false positives has a huge financial impact on organizations. Every alert generated by a security solution is studied and analyzed to verify the possibility of a breach. A high number of false positives means that valuable time is expended on chasing and eliminating false alarms, since dealing with a false positive is preferable to the risk of an undetected threat. However, these are person-hours that can be better spent on real intrusions.
Another potential risk is that real threats could be overlooked in the process. Repeated false positives can cause a false sense of complacency in the security team, which assumes that an alert that has been seen before is ‘false’, and thus risks ignoring legitimate threats. Additionally, a rule that generates many false alerts could be ignored or deactivated, leading to the danger of vulnerabilities around that rule creeping in.
The issue of false positives is compounded by the fact that security solutions lack business context and hence often produce alerts even when the underlying behaviors is normal or expected under certain business conditions.
So, now that we have established the high cost of false positives to an organization, what measures can be taken to reduce them?
- Detailed configuration of the security system and accurate tuning (detailed defining of user profiles, expected traffic stats, usage patterns, etc.) to define what should be considered malicious. This includes regular retuning to update the system with new insights.
- Baselining and setting threshold levels for alarms based on priorities.
- Simplifying and tightening the rules to remain flexible and yet effective.
- Remediating alerts that occur frequently even if they are false positives, simply to reduce the distraction or ‘noise’ from these.
- Remediating possible vulnerabilities, especially those that can be fixed easily, if only to reduce the vulnerable surface area.
- Building business context into the rules to strengthen threat intelligence. This will also help in prioritizing security threats based on their potential impact, so efforts can focus on threats that demand immediate remediation.
- Using manual expert validation and analysis on alarms generated by automated tools, to ensure that threat detection is more accurate.
- A regular yearly review of known and identified false positives to re-validate them.
The use of SIEM systems offers yet another solution to this dilemma of false positives. Integrating advanced analytics with SIEM systems builds intelligent security solutions, helping prioritize alerts and increase the probability of true threat detection.
Vijay Bharti is the Chief Information Security Officer (CISO) and Senior Vice President of Cyber Security practice at Happiest Minds Technologies. He brings in more than 20 years of experience in the area of IT Security across multiple domains like Identity and Access Management, Data Security, Cloud Security and Infrastructure Security.
His recent work includes building Security Operation Center frameworks (including people, processes and various SIEM technologies) where he is working on building an integrated view of security and ways of leveraging advance analytics and big data innovations for cyber security.
