Cyber attacks and data breaches made big news in 2020 and 2021:
- In 2020, 37 percent of organizations were affected by ransomware attacks, according to a survey from cybersecurity firm Sophos.
- In September 2020 alone, cybercriminals stole or compromised 9.7 million medical records.
- 74 percent of organizations experienced malware attacks in 2021, up from 61 percent in 2020.
Today’s organizations are vulnerable to all kinds of cyberattacks, which NIST (the National Institute of Standards & Technology) defines as an event that disrupts, disables, destroys, or maliciously controls a computing environment, destroys data integrity, or steals controlled information.
Expert security teams know that attackers might compromise the enterprise network, systems, or applications; or steal data at any time through any number of means. To protect themselves, organizations invest in cybersecurity measures and tools, such as:
- Firewalls
- Anti-virus and anti-malware software
- Endpoint Detection and Response (EDR)
- Vulnerability scanners
- Penetration testing tools
- Intrusion Prevention Systems
- Security Information and Event Management (SIEM) platforms
These tools help to keep intruders out of the enterprise network. Many also alert security teams and security operations centers (SOCs) to the presence of cybercriminals or hackers so the team can move to prevent — or at least mitigate — a security incident or cyber attack.
Such security alerts are critical to active, ongoing cybersecurity. They also, however, can pose problems for security analysts and managers — thanks to those maddening things otherwise known as false positives.
What Are Cybersecurity False Positives?
False positives are incorrect alerts about cybersecurity; they warn teams that some issue is an infection or attack, when in reality it is not. The positive result (“this is an attack”) is false. That’s in contrast to true positives, which correctly note that some incident is an attack.
More simply — a false positive is the same as a false alarm. It indicates a vulnerability, threat, or risk where none actually exists.
Examples of common false positives include:
- Software bugs or poorly written software;
- Unrecognized network traffic;
- Legitimate cleanup utilities that delete old shadow copies, triggering a malware or ransomware alert;
- Legitimate files with missing security certificates may be flagged as “malicious.”
Security tools are often configured in such a way, or placed in such a location, that they raise alerts on everything that might indicate an infection or security threat.
Such tools aim to avoid missing any indicator that could lead to a real infection or cyber attack, and that’s a worthy objective. This approach, however, becomes problematic for security teams (as well as the organization) when too many false positives arise.
The Challenges of Security False Positives
According to 2021 research by Fastly:
- About 45 percent of all alerts are cybersecurity false positives.
- 75 percent of organizations spend the same amount (or more) time on false positives as they do on actual attacks.
- False positives cause the same amount of downtime as real cyber attacks.
A false positive is a false, non-malicious alert raised by a security platform. To assure that no threat results in an actual attack, security teams must review each alert and verify whether the threat is real.
False positives, however, increase the “noise” in the organization’s cybersecurity infrastructure. At large organizations, they can overwhelm security teams with hundreds or even thousands of alerts every day.
Many alerts don’t contextualize potential cybersecurity threats or provide enough information to support solid investigation and threat mitigation. As a result, analysts have to deal with the problem of alert fatigue and burnout.
Alert fatigue is believed to be one of the root causes of the 2013 Target security breach in which the credit card and private data of about 40 million customers were stolen.
To deal with alert fatigue, security personnel may ignore or miss important alerts that indicate a real or malicious cyber threat. This weakens the organization’s security posture and increases the risk of an actual cyber-attack or data breach.
How to Better Identify False Positives
False positives are an issue for every organization. Until a security tool is invented that can perfectly alert only on real threats or genuine security risks, security teams will have to deal with false positives. They can, however, reduce the burden of investigation, analysis, and action.
To achieve this, it’s essential to deploy tools that are robust enough to identify real threats and also are intelligent enough not to raise unnecessary false positives.
Such tools must collect, gather, analyze and contextualize threat evidence, build an evidence-based case for an infection or exploitation, and present it to the security team for further attention. This approach will consume less time since personnel won’t have to verify each alert, while also assuring that real threats are appropriately investigated and addressed.
Many existing security information and event management (SIEM) or endpoint detection and response (EDR) solutions raise too many false positives. They can be strengthened with extended detection and response (XDR) tools that provide better visibility into threat data and correlate and prioritize alerts for improved threat detection and remediation with minimal false positives.
How to Reduce and Manage False Positives
Optimize the Cybersecurity Tech Stack
Many organizations use multiple cybersecurity tools to strengthen their security posture. While there’s nothing wrong with this approach, optimizing the tech stack is essential to assure that your tools are not contributing to the false positive problem.
A global IBM survey found that using more than 50 tools in the security tech stack leads to less effective security response. Many such tools are not interoperable, so companies also find it more difficult to detect and respond to threats effectively.
This means organizations must select and implement the right security tools. Security teams must conduct an inventory of the security tech stack and, where necessary, replace some tools with more comprehensive solutions that are interoperable and (ideally) offer end-to-end security.
Further, these tools must be appropriately integrated to minimize false positives and alert fatigue.
Reduce the Size of the Threat Surface
The threat surface incorporates every device, application, or endpoint that an attacker could leverage to gain unauthorized access for any organization. This includes:
- Mobile and desktop devices
- Operating systems
- Unsupported, unpatched, or shadow IT software
- Network devices such as servers, routers, and switches
- Misconfigured cloud services
- Any Internet-connected service or device, such as IoT devices
Security teams must assess all these potential threat access points and take action to secure them. Doing this can reduce the threat surface size and reduce the number of alerts that need to be analyzed, managed, and investigated.
Adjust Alert Thresholds and Prioritize Alerts
Many false positives are the result of over-stringent or narrow alert thresholds. To reduce the number of false positives, security teams must rethink the rules that trigger alerts. For example, a single incorrect password entry may not trigger an alert, but multiple and rapid incorrect password attempts may indicate a brute force attack and therefore should raise an alert.
It’s also essential to prioritize the threats and alerts that are most relevant or most likely to have the most significant impact on the organization. While this approach cannot eliminate cyber risks entirely, it can help teams triage alerts and focus on mitigating genuine threats.
Enrich Alerts with Context
Some security tools simply raise alerts on potential threats without providing the proper context or additional information to help with the investigation. In such cases, actionable threat intelligence solutions provide highly contextual and real-time data about threats, so security teams can more easily identify, prioritize and mitigate real risks without drowning in a sea of false positives.
Improve Enterprise-wide Cybersecurity Hygiene
Good cybersecurity hygiene goes a long way towards strengthening the organization’s security posture and preventing security tools from raising too many false positives. This is why it’s critical for organizations to:
- Regularly patch all software, including operating systems
- Minimize the prevalence of shadow IT software, devices, and other resources
- Use strong passwords
- Implement multi-factor authentication (MFA)
- Deploy robust firewalls, anti-malware, and anti-virus solutions
- Educate employees on safe cybersecurity practices, such as how to recognize phishing emails, why they must not click on malicious links, and how to avoid social engineering attempts
Take Your Cybersecurity to the Next Level with ZenGRC
As the cyberthreat landscape expands, organizations need a robust security program and security tools to detect advanced threats while minimizing the noise of cybersecurity false positives and notifications.
ZenGRC provides a holistic, integrated platform that can empower your organization to meet those objectives. ZenGRC provides guidance from the most trusted cybersecurity frameworks to help you implement a program that will expose existing and new threats, so security teams can proactively strengthen enterprise security in the least burdensome way possible.
Contact Reciprocity for more information on how to efficiently monitor your enterprise IT infrastructure with minimal false positives.