Alerts: Avoiding False Positives

Every day, security analysts and the other professionals responsible for infrastructure monitoring and protection receive a series of alerts from the various hardware and software components that make up their technology architecture.  The key challenge lies in prioritizing these alerts, and determining which ones require immediate attention. 

 

False positives, incidents where security alerts are triggered even though no breach event has actually occurred, are becoming more and more common.  Many intrusion detection systems are designed to uncover even the slightest unauthorized activity, looking not just for actual intrusions, but for any possible intrusion.  As a result, they are often configured in such a way that a high number of false positives are also generated in addition to valid alerts.  These can cost companies a tremendous amount of time and money, and distract incident responders from those alerts that really do require further investigation. 

 

However, industry experts recommend several ways to reduce the number of false positives.  These suggestions include:

 

Fine-tuning systems

Many security systems are, by default, extremely sensitive.  But, their configurations can often be easily adjusted, to allow for more rigid definition of the criteria and thresholds that will trigger an alert.  Begin by reviewing past audit logs to identify those actions that most often result in false positives, and set system controls to ignore those activities.   

 

Using intelligent event correlation

Many experts believe that the future of enterprise security monitoring lies in event correlation, the ability for systems to leverage human-type intelligence to more effectively weed out false positives.  For example, multiple failed logins alone may not be enough to warrant a full-blown investigation.  Many of the more advanced systems will be able to dynamically perform further analysis and gather additional evidence, such as determining which IP address the logins were attempted from, before triggering an alert. 

 

Applying visualization techniques

 

A study conducted by the Department of Computer Science at the University of Virginia suggests that – particularly in massive data sets – the textual relaying of suspicious activity data alone can create an unacceptable number of false positives.  The report goes on to claim that by allowing system administrators and security analysts to visually analyze the same information using sophisticated graphics, it will be easier for them to identify the activity that represents low or no threat, and allow for faster detection of true malfunctions and breaches.  

 

Conducting more in-depth training

While false alarms cannot be eliminated completely, they can be more rapidly dismissed.  By training incident response teams to better tell the difference between a real alert and a false one, companies can avoid wasting precious staff time and incurring unnecessary expenditures.

How Early Breach Detection Can Prevent Major Losses

Sometimes, attempted incidents of fraud are unavoidable, no matter how hard a company tries to prohibit them.  In the past, before significant advances in technology, companies had little choice but to simply react to suspicious events long after they occurred.  But today, many experts believe that businesses have the tools at their disposal to take a more proactive approach to risk management.

It’s no secret that early detection can mean the difference between a minimal disturbance and a major disaster.  The sooner fraud is caught and stopped, the less damage a company is likely to experience.  For example, in the mid-1990’s, a trader at

Japan’s Sumitomo Trading Company perpetrated over $2.6 billion worth of fraud.  The offenses were committed over the course of a decade and a half, but had the activity been detected in the first year, losses could have been as little at $400,000.  

This is a particularly important when viewed from the perspective of a recent report issued by the Rollins Center for eBusiness, which claims that $1 in fraud-related expenses reduces net income by the same amount.  And because organizations have average profit margins of ten to twenty percent, additional revenue of five to ten times the amount of the fraud must be generated in order to restore net income to its pre-fraud level.

 

By identifying and diverting a potential breach in the earliest stages, companies can preserve the integrity of the data they manage, maintain profitability, save their reputation, protect their clients, and learn valuable lessons for the future.

 

But, according to a recent PriceWaterhouseCoopers survey, only about five percent of fraud and other white collar crimes are detected by active risk management strategies.

 

It’s obvious that early detection is critical.  But, what are some of the most effective methods, and how do they work?

• Behavior pattern analysis.  In order to immediately uncover an “out of the ordinary” action, you’ll first need to understand what constitutes “normal” activity.  By analyzing historical data to determine how authorized system users typically access information and perform transactions, companies can make suspicious activity clearer and easier to detect. 
• Identification of potential types of fraud and their symptoms.  When you know what you’re looking for, it’s easier to find.  Many companies have called in third party fraud consultants, who outline the types of events that are most likely to happen and what sequence of activities usually leads up to them.  This helps companies anticipate what may take place in the early stages of a breach, so they can begin their investigations and take corrective action much earlier. 
• Scoring.  Suspicious events need to be prioritized, in order to ensure optimum efficiency and effectiveness in investigations.  By scoring out of the ordinary activity based on its likelihood to lead to fraud, companies can allocate resources accordingly.  
• Real-time alerts.  Putting a “chain of command” into place, and implementing a software system that will automatically notify these key staff members when abnormal activity takes place will ensure the most rapid response possible, and enable the start of an immediate investigation if deemed necessary.

The Most Effective Incident Response Techniques

Many companies consider their log management strategy and related systems and techniques to be the most important weapon in their fight against fraud.  But, implementing IT auditing measures through the use of log management is just the first step.  In order to most effectively combat fraud, companies must have the proper procedures in place for handling incidents once they occur.  The speed and accuracy with which an organization responds can mean the difference between losses that are minimal, and those that are significant. 

 

What are some of the best ways to ensure swift, comprehensive incident response? 

 

Assemble a team

Companies who designate specific staff members – in advance – to address incidents once they are detected will experience less confusion and delay.  By clearly outlining who is responsible for what operational, decision-making, and investigative tasks, you can dramatically accelerate your incident response and resolution times.   

 

Document policies

Once everyone knows what they are responsible for in the case of a security event, they then need guidelines as to how assigned tasks should be carried out.  Formal, fully document response procedures will ensure that all actions taken are decisive, correct, and effective so losses can be contained as quickly as possible. 

 

Consult with external parties immediately

Many companies make the mistake of contacting their legal counsel or local law enforcement agencies after the investigation has been completed.  However, it is best to involve them in your evidence-gathering as soon as an incident occurs, since they can look at supporting data in an unbiased and experienced manner. 

 

Utilize live response

The size and complexity of today’s technology architectures, combined with the increasing volume of malicious activity, have made it more difficult than ever to gather forensic evidence when a breach takes place.  However, there are now tools on the market that allow for “live response” – the collection and analysis of system memory.  This approach not only minimizes any impact on system performance during the evidence gathering process, it allows investigators to more rapidly examine data to find the supporting data they need. 

 

Conduct ongoing assessments

Each time an incident occurs, have your team gather afterwards to discuss what areas of your incident response policy worked, and which ones didn’t. This will allow for ongoing learning and continuous enhancement, so policies can refined to be as effective as possible. 

 

Be proactive

Of course, the best defense against fraud is to proactively prevent it.  By analyzing log data in great detail to gain a full understanding of the patterns and trends that represent “normal” activity, companies can instantly uncover the peculiar or out-of-the-ordinary actions that lead up to a security event.  Therefore, they can detect and stop breaches before they happen – instead of simply reacting to them once they have already occurred.