In response to new research that indicates more than a quarter of security alerts fielded within organizations are false positives, cybersecurity experts offer perspective.
As attacks increase, from both external and internal sources, it is inevitable that things will slip past preventative controls – therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming.
While it can be tempting to invest a lot into correlating all the logs and wading through the alerts (many of which will be false positives), the alternative is to understand the organisational systems and only turn on alerts for critical activities and systems. This ties back into understanding root causes and simplifying the overall architecture. Having fewer, but more focussed and better-quality alerts can allow organisations to spend more time focusing on the things that really matter.
Honeytokens can help to reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity.
Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system.
False positives are always a concern when working with large amounts of data from various monitoring sources like networks devices, endpoints and applications. An organization may flag an application only working during a specific time zone and if an outsourced company or employee is working in another time zone on the other side of the world, this would flag a false positive. Additionally, false positives are a result of system configurations from third parties not applicable to the organization\’s infrastructure. The amount of data collected will depend on the breadth of data surveyed and \”how far the net is cast.\” If the cast is narrow, then the information is limited, but the false positive score could be lower versus a wider cast net where this can increase, but the need for more information is collected for analysis.
Having a human pilot is always important to navigate through the data, whether it\’s with false positives or not. While time and resources are spent on dealing with the false positives, it\’s important for organizations to be able to train and educate the analysts to spot them quickly and move on with the real ones. You always need a pilot in a plane to deal with events that can occur and sometimes you want the pilot, like Sully. Your analysts will need to classify and verify to make sure the event is legitimate and actual before taking action.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics