InfoSec Insider

Keeping False Positives in Check

InfoSec Insider Justin Jett shares his opinions on how to avoid false positive security threat fatigue before sets in and companies drop their guard.

In 2017, seven out of ten organizations said their security risks increased significantly, according to a Ponemon Institute study. This is no surprise given that last year organizations suffered the largest ransomware outbreak in history (WannaCry) and vulnerabilities such as Meltdown and Spectre came to light. These have caused many a headache for IT teams.

That has businesses looking for ways to remediate problems as they arise. One obstacle to that is dealing with a slew of false positives that can feel overwhelming and utterly impossible to deal with. Getting past the false positives to actionable data is what’s needed and can be closer at hand than one might think.

As the number of devices connecting to the network continues to grow, so does the threat landscape. Additionally, these devices bring a fury of problems that only adds to the complexity. By 2020, there will be roughly 200 billion connected devices, according to a 2016 study. This risk is exacerbated by the rise of IoT devices and a major skills gap that has plagued organizations for many years.

With so many false positives coming from their security information and event management (SIEM) system or other disparate systems, many organizations simply can’t keep up with the alerts and have resorted to minding only the alerts that pertain to the most critical systems on their network. This is a dangerous approach. By ignoring false positives, you also ignore real threats or true positives.

Here are some strategies that businesses can use to help reduce false positives and target threats.

Use network traffic analytics as a complement to your SIEM. You have deployed a SIEM to help you correlate logs from many disparate systems into one place. This helps you reduce your false positives (if an event is seen across multiple systems it’s far more likely to be true), but it only tells you the alarm that was triggered. It doesn’t provide actionable data to help you remediate the problem. Network traffic analytics provides additional insight to alarms generated by the SIEM. With information like username details, connection details, and duration and frequency of communication, you can quickly see where the problem is, where it may have spread, and what information may have been taken or compromised.

Implement a zero-trust approach for IoT devices. These devices are purpose-built with a limited set of requirements to function properly. When deploying IoT devices on the network, do so in a way that reduces their footprint on the network. By giving these devices access to only the minimum, you reduce risk. Additionally, because you’ve only given them access to a specific set of resources on the network, anything that deviates from that set of connections will be easily seen and alarmed on in your incident response platform.

Finally, baseline user activities for normal network behavior. Each user on your network does a series of tasks each day, week, or month that would be considered normal. Once you have a baseline of this activity, you are better prepared to understand when a user’s credentials may have been hacked. After all, it’s likely not normal to have the marketing or accounting teams connecting to servers over SSH.

Fortunately, budgets are projected to increase for 2018, which may help fill expensive security personnel positions and enable organizations to deploy incident response processes to battle the barrage of attacks that continue to harm businesses. By deploying these strategies, you will be more able to identify real threats on your network and quickly dismiss the false positives that continue to be a nuisance for your IT teams.

(Justin Jett is director of audit and compliance at Plixer with roles ranging from system administration of web services to technical product marketing. He is a graduate of the University of Maine at Farmington and is an avid learner of all things security, with a particular interest in TLS and DNS attacks.)

Suggested articles