Expert Comments

Expert Comments: Over 25% Of Security Alerts Are False Positives

Expert(s): Security Experts
Expert(s): Security Experts

In response to new research that indicates more than a quarter of security alerts fielded within organizations are false positives, cybersecurity experts offer perspective.

Experts Comments

Dot Your Expert Comments
Javvad Malik
March 18, 2020
Security Awareness Advocate
KnowBe4

Good system architecture can also help in managing and reducing alerts.
As attacks increase, from both external and internal sources, it is inevitable that things will slip past preventative controls – therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming. While it can be tempting to invest a lot into correlating all the logs and wading through the alerts (many of which will be false positives), the alternative is to.....Read More
As attacks increase, from both external and internal sources, it is inevitable that things will slip past preventative controls – therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming. While it can be tempting to invest a lot into correlating all the logs and wading through the alerts (many of which will be false positives), the alternative is to understand the organisational systems and only turn on alerts for critical activities and systems. This ties back into understanding root causes and simplifying the overall architecture. Having fewer, but more focussed and better-quality alerts can allow organisations to spend more time focusing on the things that really matter. Honeytokens can help to reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity. Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system.  Read Less
James McQuiggan
March 18, 2020
Security Awareness Advocate
KnowBe4

Having a human pilot is always important to navigate through the data, whether it's with false positives or not.
False positives are always a concern when working with large amounts of data from various monitoring sources like networks devices, endpoints and applications. An organization may flag an application only working during a specific time zone and if an outsourced company or employee is working in another time zone on the other side of the world, this would flag a false positive. Additionally, false positives are a result of system configurations from third parties not applicable to the.....Read More
False positives are always a concern when working with large amounts of data from various monitoring sources like networks devices, endpoints and applications. An organization may flag an application only working during a specific time zone and if an outsourced company or employee is working in another time zone on the other side of the world, this would flag a false positive. Additionally, false positives are a result of system configurations from third parties not applicable to the organization's infrastructure. The amount of data collected will depend on the breadth of data surveyed and "how far the net is cast." If the cast is narrow, then the information is limited, but the false positive score could be lower versus a wider cast net where this can increase, but the need for more information is collected for analysis. Having a human pilot is always important to navigate through the data, whether it's with false positives or not. While time and resources are spent on dealing with the false positives, it's important for organizations to be able to train and educate the analysts to spot them quickly and move on with the real ones. You always need a pilot in a plane to deal with events that can occur and sometimes you want the pilot, like Sully. Your analysts will need to classify and verify to make sure the event is legitimate and actual before taking action.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Iran Nuclear Facility Potential Cyber Attack – What Expert Says

Industry Leaders On Android.Joker Malware

Expert Reaction On Pulse Secure VPN Users Can’t Login Due...

New Vulnerabilities Put Millions Of IoT Devices At Risk

Expert Comment On Darktrace Set For IPO

Fake App Attacks On The Rise, As Malware Hides In...

Expert On Study That Brits Using Pets’ Names As Online...

Expert Reaction On Europol Publishes Its Serious And Organised Crime...

Fake Netflix App Allows Hackers to Hijack WhatsApp

Hackers Pretend To Be Your Friend In The Latest WhatsApp...