Security Experts:

How to Reduce False Positives and Move Faster on What Matters

A quick Google search reveals instances of false positives happening every day. A signal from NASA’s Opportunity rover that remained unresponsive for months after experiencing a dust storm on Mars, turned out to be a “ghost signal.” Blue cotton candy that initially tested positive as methamphetamine turned out to be, well, blue cotton candy. Numerous articles on false positive medical test results that subject individuals to unnecessary follow-up, treatments, cost and worry. 

Security professionals don’t have to look very far for instances of false positives either. According to the 2018 SANS Incident Response Survey published in October, 74 percent of the 452 respondents determined that at least one of the incidents they responded to was a false positive and six percent say they experienced more than 500 false positives in the past year. Meanwhile, 17 percent had no idea how many incidents were deemed false positives, which begs the question: Are individuals just reporting based on their own experience or are these numbers inclusive of other teams as well? Either way, organizations can ill afford to waste valuable resources responding to false positives, particularly when they report that the top two impediments to effective incident response are a shortage of skilled talent and budget. 

The survey asks if false positives speak to alerting mechanisms, or teams’ abilities to correctly validate alerts. The answer is both. Every day security teams are bombarded by massive volumes of logs, data and alerts which generate a significant amount of noise. And when uploaded directly to the SIEM or layers of defense (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) or incident response playbooks, these systems can generate even more noise. That’s because systems are going to flag what they know to flag based on the business rules that have been put into place. As a result, a team member ends up working on way too many alerts to determine what is real and what is not. 

How do we break this wasteful cycle and enable teams and technologies to reduce instances of false positives? The answer lies in prioritization and learning. 

Prioritization. Organizations need to prioritize as the first step in the process, ensuring relevance within their specific environment. Because you have multiple sources of context (external threat intelligence, internal data and intelligence, etc.) you need a central repository to aggregate data and alerts and manage and automate the prioritization process. With an approach to security that starts by aggregating, scoring and prioritizing within the context of your environment, you can reduce the noise and make better use of resources downstream. Security operators can focus on what really matters to the organization rather than wasting time and resources chasing ghosts. Whether working in the SIEM and evaluating alerts, or in an incident response platform looking at a case, security teams can work without the distraction of noise and false positives. The goal is to move fast, on the right things and make better use of the resources you have – time, talent and budget.

Learning. Another top impediment to effective incident response as reported by the SANS survey, are organizational silos between technologies and teams. This separation results in duplication of efforts and reduced knowledge sharing (if there is any). Technologies need to not only work together, but work to improve each other as well.  This points directly to the need for both integration and a continuous feedback loop in order to learn and improve over time. Since there are no silver bullet solutions, we must be prepared when a false positive still comes through. Systems must have the ability to learn and reprioritize, automatically tuning themselves to reduce false positives in the future. Teams must also be encouraged and empowered to learn from each other, documenting and sharing instances of false positives in a central repository. A process that embeds automated feedback mechanisms into existing workflows makes it easier for teams and tools to improve over time. 

No organization can afford to have people chasing problems that may not exist or do not matter to their organization. With prioritization and learning to reduce false positives we can remove the impediments to effective incident response and move faster on what matters.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.