Every day, security analysts and the other professionals responsible for infrastructure monitoring and protection receive a series of alerts from the various hardware and software components that make up their technology architecture. The key challenge lies in prioritizing these alerts, and determining which ones require immediate attention.
False positives, incidents where security alerts are triggered even though no breach event has actually occurred, are becoming more and more common. Many intrusion detection systems are designed to uncover even the slightest unauthorized activity, looking not just for actual intrusions, but for any possible intrusion. As a result, they are often configured in such a way that a high number of false positives are also generated in addition to valid alerts. These can cost companies a tremendous amount of time and money, and distract incident responders from those alerts that really do require further investigation.
However, industry experts recommend several ways to reduce the number of false positives. These suggestions include:
Fine-tuning systems
Many security systems are, by default, extremely sensitive. But, their configurations can often be easily adjusted, to allow for more rigid definition of the criteria and thresholds that will trigger an alert. Begin by reviewing past audit logs to identify those actions that most often result in false positives, and set system controls to ignore those activities.
Using intelligent event correlation
Many experts believe that the future of enterprise security monitoring lies in event correlation, the ability for systems to leverage human-type intelligence to more effectively weed out false positives. For example, multiple failed logins alone may not be enough to warrant a full-blown investigation. Many of the more advanced systems will be able to dynamically perform further analysis and gather additional evidence, such as determining which IP address the logins were attempted from, before triggering an alert.
Applying visualization techniques
A study conducted by the Department of Computer Science at the University of Virginia suggests that – particularly in massive data sets – the textual relaying of suspicious activity data alone can create an unacceptable number of false positives. The report goes on to claim that by allowing system administrators and security analysts to visually analyze the same information using sophisticated graphics, it will be easier for them to identify the activity that represents low or no threat, and allow for faster detection of true malfunctions and breaches.
Conducting more in-depth training
While false alarms cannot be eliminated completely, they can be more rapidly dismissed. By training incident response teams to better tell the difference between a real alert and a false one, companies can avoid wasting precious staff time and incurring unnecessary expenditures.