How to Avoid Wasting Time on False Positives

by Carl Manion
Managing Principal, Raytheon Foreground Security

False positives. Those annoying notifications that make you panic at first, but after further investigation, turn out to be nothing to worry about. At first, they may seem like a minor inconvenience, but what happens when you have hundreds—or even thousands—of them occurring every day and you find yourself wasting 75 percent (or more) of your time?

Unfortunately, this is exactly what’s happening to cybersecurity analysts in security operation centers (SOCs) all over the world, because they are following a traditional, reactive approach to security-threat monitoring.

Within most SOCs, false positives are a major problem. It’s not only because they take time and resources to address, but also because they distract security analysts from dealing with legitimate security threats. And when security analysts become desensitized to alerts because they’re wasting time reacting to too many false positives, they start to miss true indicators of cyber attacks.

What causes false positives?

The most common source of false positives are poorly configured or poorly tuned security tools, such as security information and event management (SIEM) solutions, intrusion detection systems (IDS)/intrusion prevention systems (IPS), and endpoint detection and response tools. Each of these technologies uses a variety of techniques to detect attacks based on a set of pre-defined rules, known signatures, patterns, expected user behaviors, and so on. A false positive typically originates within one of these tools when a rule, signature or pattern is defined too broadly, or is missing some logic. As a result, it incorrectly identifies events that match the current logic—even though they aren’t legitimate security threats. 

With that in mind, here are seven basic habits that organizations can follow to help minimize false positives: 

1)        Be proactive. Be proactive in your threat-management approach. If all you do is wait for alerts and alarms to go off, you will spend more time chasing false positives than you will on identifying real threats. Get ahead of it. That is the only proven approach for detecting the most advanced cyber threats.

2)        Begin with the end in mind. Alerting technologies can significantly improve your ability to identify suspicious or malicious activity when used correctly. Unfortunately, many organizations use them too broadly. The key is to focus on the types of threats you intend to detect. Assess the risk and security needs of your business, and then focus your alerting technologies on the highest-risk threats. Focusing on your end goal—the most relevant threats you want to detect—will help reduce false positives.

3)        Prioritize high-risk alerts. Prioritization is one of the best tools a SOC can use to minimize time spent on false positives. Alerts that have the highest reliability, and are associated with detecting high-risk events, should obviously be assigned a higher priority. That frees up analysts to work the queue from highest priority to lowest, ensuring the events of the greatest risk are addressed first.

4)        Think win-win. This means seeing life through the lens of a cooperative arena, not a competitive one. Choose collaborative intelligence sources that will bring different fidelity, relevance, and value to your security operations. (Choose wisely though; blindly integrating intelligence feeds without evaluating their fidelity and false positive rates could hurt your security operations, if you’re not careful.)

5)        Seek first to understand. Addressing the issue of false positives should start with a thorough understanding of what threats a given tool is intended to address, as well as how it functions. When implementing a tool, ensure that you fully understand why you’re deploying it, rather than making assumptions about ‘common’ use cases, or worse…installing a tool with default settings.

6)        Synergize (use correlation). In many cases, an event may not be interesting unless it’s observed along with one or more other events of interest. In such cases, you should use a set of clearly defined correlation rules and only send an alert to your work queue if all related correlation criteria are satisfied.

7)        Sharpen the saw. Review all alerts and develop better alerting rules based on lessons learned. By reviewing every alert that goes into your queue, you’ll learn how to tune and improve your rules. Today's threats are sophisticated and require intelligent, targeted, insightful alert logic to extract events of concern while minimizing false positives. Continuously working to tune this logic is critical for minimizing false positives.

Although false positives will always exist in cybersecurity operations, it is possible to minimize their quantity and impact by following the seven basic habits described above.