Modern organizations must deal with a virtual tsunami of security alerts on a daily basis. In a recent survey, 10 percent of the respondents reported that they dealt with more than 50,000 alerts every day, and approximately 33 percent reported that their daily total exceeds 1,000 alerts. A study conducted by the Ponemon Institute found that 37 percent of the respondents faced more than 10,000 daily alerts, with 52 percent of them being false positives. False positives can cost an organization tens of thousands of wasted hours, which can easily be the equivalent of more than $1.25 million lost each year. However, the costs can be substantially more if real threats are missed because staff members are overwhelmed and essentially forced to look for the proverbial needle in the haystack.
Reducing the number of false positives and efficiently handling the ones that are generated have become top priorities for many organizations. However, without an effective strategy, these two goals might as well be added to a "wish list" that never realizes reality. Here are some tips on how to slash the number of false positives inundating your staff, as well as ideas on how to handle them in the most efficient manner.
- Have each rule reviewed by a panel of security experts before adding it to your system. The more "eyes" examining the proposed rule, the less likely that rule will generate false positives.
- Test the rules as silent rules before committing them. This allows you to determine whether the rules are generating false positives without interfering with legitimate operations. For example, if you are adding a blocking rule, you want to make sure that employees or customers are not denied legitimate access because their actions inadvertently triggered a false positive.
- Run additional iterations if the rule triggers false positives. Modify the rule or divide it into multiple rules having greater specificity. Keep testing as a silent rule until the rule returns no false positives.
- Build relationships with other departments so that you can develop rules to handle special situations. For example, if your company's online store normally processes 1,000 hits per minute, you need to know if marketing plans a national television campaign that is expected to generate 500,000 hits within a few minutes of the ad's airing; the sudden burst of activity could be interpreted by a rule as a denial-of-service attack, and if blocking resulted, the money spent on the campaign could be wasted.
- Be careful when writing rules that rely on wildcards, especially if the string contains commonly used words. One example would be a line of PHP code designed to protect against SQL injections. The code may contain words such as "Select," "From" or "Where." If the rule is designed to block instances where these words appear, false positives will likely occur.
- Automate your incident response. Demisto Enterprise is the first intelligent ChatOps platform for automating and streamlining incident response and security operations. The platform can handle many of the mundane tasks that are currently taking so much of your staff's time. This frees your analysts for more important tasks, including a thorough evaluation of false negatives.
- Practice proactive hunting. According to an analyst with the Bank of America, there are almost 400 new threats per minute in just the United States, and 70 percent of them go undetected. Instead of relying on information on known threats or signatures — which may not be disseminated for weeks or even months after a new threat appears — organizations can hunt for anomalies and suspicious behavior to limit exposure and mitigate damages.
As the volume of alerts continues to increase, eliminating false positives and developing new methods of handling them will become increasingly critical. Although the task may seem overwhelming at first, the right combination of strategy, personnel, automation and tools can provide results that save your organization money while strengthening its defenses.