On the surface, it makes perfect sense. As data breaches continue to grow in number and severity, so does the availability of threat intelligence solutions and services that promise to keep organizations ahead of the attacks.
CSO’s Bob Violino outlined this very issue. To a point, this technology does deliver — assuming you’re able and willing to collect untold amounts of data and then comprehend, analyze and decide how to react. It’s a deafening amount of noise to accurately decipher in real time.
“False positives are a problem not only because they take up manpower and time to address, but also because they can distract companies from dealing with legitimate security alerts,” Violino said.
Violino highlighted an interesting study by research firm Enterprise Management Associates (ESM). Their report, “Data-Driven Security Reloaded,” states that more than half of the respondents — comprised of security managers and IT admins — claim that false positives are burdening their teams’ ability to mitigate threats. This results in a drop in overall confidence in the effectiveness of their respective security strategies.
In common scenarios, false positives are flagged by intrusion detection systems (IDS), which typically inspect inbound and outbound network traffic for malicious activity across the entire port range and aid in providing additional narrative in identifying threat actor activity.
According to the SANS Institute, as more and more data is collected, more and more needs to be managed. This is a major issue for security operations centers (SOC) working in real time to defend critical data. The problem is exacerbated when rules are incorrectly configured.
“The alerts for rules that are causing repeated false positives are often ignored or disabled,” says Daniel Owen of the SANS Institute. “From this point forward the organization is effectively blind to the attack the problematic rule was looking for.
“Almost any rule can create a false positive. The art of IDS management is learning how to minimize false positives without blinding the organization to relevant attacks.”
This is where organizations need to decide if it’s safer and more cost-effective to manage a full-time, in-house SOC or outsource security management and threat intelligence to proven cyber security experts who routinely delivery actual security outcomes. After all, isn’t the latter the final objective?