Cybersecurity solutions can generate false positives, which are well known to SOC teams and are partly responsible for “alert fatigue”. This phenomenon, which has emerged in recent years, refers to the accumulation of security events and “noise” that an administrator has to manage on a daily basis. But such events can also be responsible for blocking employee activity. False positives and cybersecurity: deciphering an IT phenomenon.
According to the Orca Security 2022 Alert Fatigue Report, 20% of security alerts in the cloud are classed as false positives. In addition to the direct impact on employees and the mental impact on IT teams, what are the repercussions on the company’s security? What is the source, and how can it be contained? We explain.
False positives: a spanner in the works
What is a false positive? A false positive is a false alert, notification or reaction to a situation resembling a problem or even a threat to an IT asset or a company network. Such false positives can, for example, be generated by misinterpretation on the part of SOC teams, or directly by cybersecurity solutions such as EDR (Endpoint Detection & Response), firewalls and other data loss prevention ( DLP) systems, in the form of a legitimate data flow considered to be dangerous, a legitimate website considered to be malicious or a legitimate message considered to be undesirable, etc.
What are the risks involved in generating false positives? Generating such false positives in cybersecurity can impact all or part of the organisation and produce a series of malfunctions in the IS decision-making chain.
- An impact on business operations: by triggering automatic corrective actions in response to false positives, service interruptions can occur. By wrongly analysing information, some protection solutions will prevent a tool from working or a resource from being accessed, when in reality both are legitimate. The result: employees are unable to work.
- Reduced confidence in detection solutions: the repeated generation of false positives can lead not only to a loss of employee confidence in solutions and protection, but also a loss of analyst confidence in the usefulness of detection systems. The adoption rate of solutions is falling, as is the level of vigilance, which encourages the emergence of real threats.
- A waste of time and resources: amid a general environment in which the workload of security teams is already very heavy, the presence of false positives requires additional checks to be carried out. This unnecessary step wastes time and reduces operational efficiency, distracting experts from actions that really need to be prioritised. According to the same Orca study, more than half of survey respondents reported that their team had missed critical alerts in the past due to ineffective prioritisation of alerts, often on a weekly or even daily basis.
This phenomenon is also being observed in industrial environments due to communication problems, as Vincent Nicaise, Head of Industrial Partners and Ecosystem at Stormshield, reports: “It's not unusual for maintenance to be scheduled on a machine with no prior notification to the SOC team. In such cases, the technician arrives on site and makes the modifications. This maintenance operation generates traffic which can be interpreted as an anomaly by the SOC team. An investigation is then launched: the SOC team informs the local team of a potential anomaly, and requests an on-site check. But in the end, it becomes clear that this was simply a maintenance operation, and the whole detection and verification phase has consumed time and resources for nothing.”
How can false positives be reduced?
Behind this first question lies a broader one, including the opposite risk of false negatives: is it better to block too much, instead of too little? And behind this deliberately provocative suggestion lies the eternal debate surrounding security projects and even the integration of security products into the day-to-day operations of teams. After all, if a security product blocks “too much”, including legitimate uses and programs, the risk is that the user base will reject it. Users will then try to avoid using this security product, or even uninstall it... “It's all a question of measurement,” explains Edouard Simpère, Head of Threat Intelligence at Stormshield: “With a product that performs less blocking, the secure perimeter is necessarily smaller, but so are the risks that activity will be blocked. And most importantly, the product does not meet with any resistance from users. The line between malicious and legitimate behaviour is sometimes so fine that in trying to block the attackers, you end up blocking yourself.” To complement this cyber protection, EDR solutions are being strengthened; the focus is no longer on blocking at all costs, but on better blocking in response to detection. Users are not inconvenienced because the security product is transparent, and IT (and cybersecurity) departments are supplied with security alerts.
The question of reducing false positives remains a relevant one: how can security systems minimise false positives? The answer to this question involves adjusting detection rules, learning and artificial intelligence. Using real-time network traffic data and security logs, detection rules are adjusted and adapted to match the company’s real-world needs and operating methods. Regular (or even automatic) updates of default protection policies and security databases, as well as the provision of special rules for certain applications that are widely used but subject to specific false-positive triggers, are key elements in protecting businesses. However, such iterative processes need to be finely controlled to avoid lowering the detection threshold. And to add to this protection by identifying new attack techniques and their associated suspicious behaviour, it is also important to use analyses of cyberattacks and benchmarks such as MITRE ATT&CK. All these settings can be complex and require a thorough understanding of security solutions, how their engines work and what logs they send. There are several other ways in which internal company communication can reduce false positives without reducing the level of protection:
- Contextualise data according to on-site actions: telemetry data must be contextualised according to the production environment. Without contextualisation, raw data can be misinterpreted. On the network side, for example, the IPS (Intrusion Prevention System) engine is based on targeted protocol analysis of network packets. Another example is the contextualisation of Wi-Fi connections.
- A better understanding of IT and OT environments: as each environment has its own specific technical characteristics, detection mechanisms must incorporate the concept of context. Without prior understanding, an analyst will not be able to determine whether the information being reported is legitimate or not.
- Establish the same level of communication between the ISS and production teams: by establishing a strict communication process – for example, in terms of interventions and maintenance – errors can be avoided.
False positives: what about the future?
EDR, NDR, XDR, MDR: the number of acronyms is multiplying, reflecting a specialised approach to Detection & Response in cybersecurity products. In addition, the Threat Intelligence and Threat Hunting teams enhance our ability to detect the most sophisticated cyberattacks. Teams looking for “Indicators of Attack” (IoAs) and “Indicators of Compromise” (IoCs), with the dual aim of understanding the threat and reducing the number of false positives. It should be noted that in addition to detection, it is essential for endpoint protection tools to incorporate the ability to block the threat.
The development of an architecture known as SOAPA (Security Operations and Analytics Platform Architecture) could be another answer. Developed by John Oltsik, a principal analyst at Enterprise Strategy Group in 2016, the SOAPA architecture is made up of several product categories that enable data to be collected, processed, shared and analysed efficiently. The advantage of this architecture lies in the fact that the alert is generated in the SOAR component only once it has been firmly established that it is legitimate. While on paper this solution may stem the problem, the question of processing times remains.
But until such architecture becomes the norm, businesses must continue to rely on good practice and common sense around reducing the attack surface and using automatic remediation only for the most sensitive IT assets. Implementing best alert management practices (using behavioural analysis correlated with a cybersecurity repository in addition to detection rules, automating processes, training analysts, etc.), coupled with a cycle of continuous improvement of SOC processes, can increase the operational capacity of this cybersecurity nerve centre.
Taking its cue from the maxim that “too much data kills data”, the automation of data analysis is a potentially interesting option. By training artificial intelligence algorithms that take into account the constraints of the production environment, it could at the very least be possible to enable the simplest alerts to be processed, leaving the most complex cases to the analysts. Other avenues, such as questioning the data’s relevance and lifespan, could also help to reduce the volume generated. But these are topics for future articles...