False positives, or alerts that incorrectly indicate that a security threat is present in a specific environment, are a major problem for Security Operations Centers (SOCs). Numerous studies have shown that SOC analysts spend an excessive amount of time and effort looking for alerts suggesting an imminent threat to their systems which ultimately prove to be benign.
Research who Invicti conducted recently found that SOCs waste an average of 10,000 hours and some $ 500,000 per year validating unreliable and incorrect vulnerability alerts. Another survey that Enterprise Strategy Group (ESG) made for Fastly found organizations reporting an average of 53 alerts per day from their web apps and API security tools. Almost half (45%) are false positives. Nine in ten survey respondents described false positives as negatively impacting the security team.
“For SOC teams, false positives are one of the biggest issues,” says Chuck Everette, director of cybersecurity advocacy at Deep Instinct. The primary purpose of a SOC is to monitor, investigate, and respond to security events in a timely manner. “If they are inundated with hundreds or thousands of alerts that have no real security importance, it prevents them from responding effectively and efficiently to real threats,” he says.
Completely eliminating false positives from the environment can be nearly impossible. However, there are ways for SOCs to minimize the time spent hunting them. Here are five of them:
1. Focus on the threats that matter
When configuring and tuning security alert tools such as intrusion detection systems and security information and event management (SIEM) systems, be sure to define rules and behaviors that alert you only to threats relevant to your environment. Security tools can aggregate a lot of log data, not all of which are necessarily relevant from a threat perspective to your environment.