How to reduce false positive noise for already overworked security teams‮ ‬ 

Managing cybersecurity is a never-ending challenge. As adversaries keep finding innovative ways to exploit organization vulnerabilities, security teams strive to keep pace and protect the company from cyberattacks. While the number of security solutions deployed keeps growing exponentially, so does the operational overhead of managing security in real-time. This embodies the challenge of managing each point solution separately and more importantly, the need to harmonize all solutions into a single security posture management.  

Furthermore, with a great set of tools comes an overabundance of data to analyze. Security teams must spend an excessive amount of time culling all irrelevant events to finally find the needle in the haystack – the clear and present danger to the security of the organization. These are time-consuming and repetitive actions typically performed manually and almost always require more time, training, and insight than available.  

This situation juxtaposes the fundamental goal of optimizing the organization’s security posture versus the actual ability to achieve it.  

False positives and ALERT FATIGUE are BAD FOR YOUR CYBER HEALTH 

The rule of thumb of cyber alerts says that the bigger your security stack is, the greater the volume of alerts will be. Other than the growing number of cyberattacks, the reason for that is insufficient knowledge that might result in security misconfigurations. Another reason could be a security configuration that does not correspond to business operations and applications. This setup could generate a large number of false positive alerts. Either way the grave result is alert fatigue that hinders security teams’ ability to respond to real threats in real-time. This could lead to employee burnout, increasing the already growing rate of employee turnover. In addition, the high amount of alerts has a negative effect as apparently overworked security operations teams tend to reduce the alert overhead by ignoring alerts or configuring security products to stop issuing them. 

The result is, again: a sub-par configuration that leads to a sub-par security posture. 

THE ORGANIZATION AS A LIVING ORGANISM 

The organization is a living organism that keeps changing and evolving. Its security controls must anticipate how it adapts to the challenging and sometimes disruptive surroundings and repair itself when needed. The organization’s immune system needs to translate many types of alerts from different sources into a comprehensible language to identify true positive events that pose an immediate risk to the business. But as the number of false positive events is high, there is an inherent risk to business operations and applications. More importantly, it poses a risk to identify actual security events on time, i.e., before any harm is done.  


THE COLLATERAL DAMAGE 

NIST defines a False positive event as “an instance in which a security tool incorrectly classifies benign content as malicious” (NIST SP 800-83 Rev. 1).  

False positive events represent a discrepancy between the security configuration and specific business operations that are falsely accused of being a risk to the organization and thus need to be blocked.  

Security solutions are designed to reduce the risk of cyber-attacks. They tend to ignore the collateral damage in the process, which are business applications and operations. 

Only a subset of the possible environments is tested when creating a new CVE signature. This means certain patterns might be too broad or not precise enough to catch only true positive events. Do you have enough knowledge and the resources to manually narrow down the number of false positive events before security teams crack under the pressure of handling too many alerts (whether false or true positive)?  

The Archimedean Point 

The solution relies upon acknowledging that it is possible to reduce false-positive events by shifting (left) the Archimedean point from SOC to security engineering and infrastructure teams. Once you solve all misconfigurations and optimize security to support business operations, you reduce the number of false positives. As the number of overall alerts will decrease as well, identifying true positive events would be faster and easier.  

Implementing intelligent tools to automate the contextualization of alerts is mandatory for an efficient, scalable root-cause analysis of false positives. It reduces the overload on security teams and augments their capabilities in investigating security incidents by cleaning the organization’s security alerts cesspool.  

Reducing the number of false-positive events is crucial for business continuity and ongoing practices. Veriti offers proactive monitoring capabilities to reduce the possibility of any business disruption (e.g. downtime of critical services) ex-ante. It automates the process of identifying false positive events and improves the security posture of the entire security stack while ensuring business uptime. 

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.