7 ways to filter out cyber alert false positives
- By Neelima Rustagi
- Jan 18, 2017
Modern organizations deal with a virtual tsunami of security alerts on a daily basis. In a recent survey, 10 percent of the respondents reported that they handled more than 50,000 alerts every day, and approximately 33 percent reported that their daily total exceeds 1,000 alerts. A separate study conducted by the Ponemon Institute found that 37 percent of respondents faced more than 10,000 daily alerts, with 52 percent of them being false positives.
False positives can cost an organization tens of thousands of wasted hours, which can easily add up to hundreds of thousands or even millions of dollars. And the costs can be substantially more if real threats are missed because staff members are overwhelmed and forced to look for the proverbial needle in the haystack.
Reducing the number of false positives and efficiently handling the ones that are generated have become top priorities for many organizations. However, without an effective strategy, these two goals might as well be added to a wish list that never becomes a reality. To avoid that outcome, here are tips on how to slash the number of false positives as well as ideas on how to handle them in the most efficient manner.
1. Have each rule reviewed by a panel of security experts before adding it to the system. The more "eyes" examining the proposed rule, the less likely that rule will generate false positives.
2.Test the rules as silent rules before committing them. This will help determine whether the rules are generating false positives without interfering with legitimate operations. When adding a blocking rule, for example, make sure that employees or customers are not denied legitimate access because their actions inadvertently triggered a false positive.
3. Run additional iterations if the rule triggers false positives. Modify the rule or divide it into multiple rules having greater specificity. Keep testing as a silent rule until the rule returns no false positives.
4. Build relationships with other departments to develop rules to handle special situations. For example, if an agency normally processes 1,000 hits per minute, it’s important to know if marketing plans a national television campaign that is expected to generate 500,000 hits within a few minutes of the ad's airing. The sudden burst of activity could be interpreted by a rule as a denial-of-service attack, and if blocking resulted, the money spent on the campaign could be wasted.
5. Be careful when writing rules that rely on wildcards, especially if the string contains commonly used words. One example would be a line of PHP code designed to protect against SQL injections. The code may contain words such as "select," "from" or "where." If the rule is designed to block instances where these words appear, false positives will likely occur.
6. Automate incident response. Look for a platform that can handle many of the mundane tasks that are currently taking too much staff time and free analysts for more important tasks, including a thorough evaluation of false negatives.
7. Practice proactive hunting. According to an analyst with the Bank of America, there are almost 400 new threats per minute in just the United States, and 70 percent of them go undetected. Instead of relying on information on known threats or signatures -- which may not be disseminated for weeks or even months after they appear -- agencies can hunt for anomalies and suspicious behavior to limit exposure and mitigate damages.
As the volume of alerts continues to increase, eliminating false positives and developing new methods of handling them will become increasingly critical. Although the task may seem overwhelming at first, the right combination of strategy, personnel, automation and tools can provide results that save agencies money while strengthening their defenses.
Neelima Rustagi is director of product management at Demisto.