WANAN YOSSINGKUM/istock via Gett
How to reduce false positive alerts and increase cybersecurity
False positives in cybersecurity detection tools drain resources and distract from real threats. Once CISOs understand the root causes of false positives, they can implement strategies to reduce them.
No cybersecurity team wants to detect a malicious attack and then purposefully ignore it. But alert fatigue caused by too many false positives can lead them into that trap.
Every cybersecurity tool designed to detect attacks makes mistakes. For decades, researchers and vendors have struggled to find ways to improve threat detection accuracy without degrading performance.
Attack detection is a constant balancing act between false negatives -- when a tool fails to detect a real attack -- and false positives -- when a tool incorrectly identifies benign activity as an attack. Techniques that reduce false negatives tend to increase false positives. Get out of balance, and the false negatives can degrade security team operations.
Cybersecurity technologies that might generate false positives for attack detection include antimalware, antiphishing, security information and event management, intrusion detection and intrusion prevention systems, data loss prevention, firewalls, and endpoint detection and response.
CISOs should understand the prevalence of false positives across cybersecurity tools. With this knowledge, they can set a strategy for how security teams reduce those alerts while still recognizing authentic threats. Best practices, such as tuning thresholds to match expected operations within the IT ecosystem, make a big difference.
Why we see more false positives
Given the variety and complexity of attacks, false positives are inevitable. Relatively few attacks are immediately and conclusively recognizable as malicious. Exploit kits and other attacker tools have made it quick and easy for anyone to generate customized, unique attacks. While tools can identify characteristics of common attack types, the infusion of AI into attackers' toolkits has greatly increased the customization of attacks.
With attacks more difficult to detect, most tools now produce more false positives and fewer false negatives. The true danger is an undetected cybersecurity breach, so security teams prioritize minimizing false negatives.
How false positives impede security teams
False positives can be a significant drain on cybersecurity resources, requiring time and effort to analyze each one before dismissing it. When false positives are too common, they divert analysts from real threats.
In some tools, real and false positives automatically trigger actions to stop the observed activity. When this occurs without a true threat, it can damage the security program's credibility.
Analysts tend to ignore false positives that occur frequently over time. It's natural to assume that an alert that was harmless in the past can be safely disregarded in the future. Next time, however, that assumed false positive could be a legitimate cyberattack.
How to reduce false positives
Don't try to eliminate false positives entirely. Even if it were possible, it would significantly increase false negatives. To reduce false positives as much as reasonable, update detection tools, layer capabilities for the best performance and fine-tune alert thresholds.
Patch and update tools
Security operations should maintain the latest patches and updates for attack detection technologies. To improve accuracy, those technologies must use near-real-time cybersecurity threat intelligence feeds.
Focus tools where they're most accurate
Deploy layers of attack detection technologies using different detection and analysis methodologies. For example, a certain type of activity might frequently cause one tool to issue false positives but be accurately detected as normal or abnormal by another technology. Consider relying on the more accurate tool for that attack vector. Shut off the checks that produce so many false positives in the ineffective tool or configure them to log but not alert.
Know thy infrastructure and operations
Teams can tune attack detection checks to improve accuracy. Check and adjust threshold values when benign anomalies are reported as attacks.
Alert tuning can also involve adding context. Context comes from information on the roles of various IT resources and the relationships between resources. For example, servers might transfer large amounts of data to centralized storage as part of normal operations, but transferring data to an external storage site would be out of the ordinary.
CISOs should adjust attack detection carefully. Ensure teams test and monitor false positive reduction strategies before deploying them into production.
Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.
