Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
10/21/2016
02:00 PM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Europe 2016:
The 7 Habits of Highly Effective Security Operations

Why cyber analysts spend nearly 75% if their time on false positives, and what to do about it.

False positives … those annoying notifications that make you panic at first, but after further investigation, turn out to be nothing to worry about. Initially, they seem like a minor inconvenience but what happens when you have hundreds, or even thousands of them occurring every day and you find yourself wasting 75% (or more) of your time on them? 

Unfortunately, this is exactly what’s happening to cybersecurity analysts in Security Operation Centers all over the world who are following a traditional, reactive approach to security threat monitoring. Within most SOCs, false positives are a major problem not only because they take up time and resources to address, but also because they distract security analysts from dealing with legitimate security threats. In addition, when security analysts become desensitized to alerts due to a high volume of false positives, they start to miss true indicators of cyberattacks. 

What causes false positives? The most common source of false positives are poorly configured or poorly tuned security tools such as SIEM solutions, IDS/IPS solutions, and endpoint detection and response tools. Each of these solutions uses a variety of techniques to detect attacks based on a set of pre-defined rules, known signatures, patterns, expected user behaviors, and so on. A false positive typically originates within one of these solutions when a rule, signature or pattern is defined too broadly, or is missing some logic. As a result, the solution incorrectly identifies events that match the current logic, even though they aren’t legitimate security threats. With that in mind, here are seven basic habits that organizations can follow to help minimize false positives:

1) Be proactive.The most important characteristic of successful security operations is to be proactive in your threat management approach. If all you do is wait for alerts and alarms to go off, you will spend more time chasing false positives than you will on identifying real threats. It’s critical to be proactive in hunting for threats, which is the only proven approach for detecting the most advanced cyber threats. At Raytheon Foreground Security, we follow a framework and related methodology that we developed called proactive threat hunting to implement this important concept.

2) Begin with the end in mind. Alerting technologies can significantly improve your ability to identify suspicious or malicious activity when used correctly. Unfortunately, many organizations use them too broadly. The key is to focus on the types of threats you intend to detect. To do that, it’s necessary to first assess the risk and security needs of your business and then focus your alerting technologies on the highest-risk threats. Focusing on your end goal (i.e., the most relevant threats you want to detect) will help reduce false positives.

3) Put first things first. Prioritization is one of the best tools a SOC can use to minimize time spent on false positives. Alerts that have the highest reliability and are associated with detecting high-risk events should obviously be assigned a higher priority so analysts can work the queue from highest priority to lowest, ensuring the most reliable alerts covering the events of the greatest risk are addressed first.

4) Think win-win. Thinking win-win sees life as a cooperative arena, not a competitive one. You can apply this concept by choosing collaborative intelligence sources that will bring different fidelity, relevance, and value to your security operations. (Choose wisely though; blindly integrating intelligence feeds without evaluating their fidelity and false positive rates could actually have a detrimental effect on your security operations, if you’re not careful.)

5) Seek first to understand. Addressing the issue of false positives should start with a thorough understanding of what threats a given tool is intended to address, as well as how it functions. When implementing a tool, ensure that you fully understand the reason for deploying it, rather than making assumptions about common use cases, or worse - installing a tool with default settings.

6) Synergize (use correlation). In many cases, an event may not be interesting unless it’s observed along with one or more other events of interest. In such cases, you should use a set of clearly defined correlation rules and only send an alert to your work queue if all related correlation criteria are satisfied.

7) Fine tune your tactics. Continuously improve and adjust alerting rules based on lessons learned. By reviewing every alert that goes into your queue, you’ll learn how to tune and improve your rules. Today's threats are sophisticated and require intelligent, targeted, insightful alert logic to extract events of concern while minimizing false positives. Continuously working to tune this logic is critical for minimizing false positives.    

Although false positives will always exist in cyber security operations, it is possible to minimize their quantity and impact by following the seven basic habits described above. For more information, visit foregroundsecurity.com.

 

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
CathyRoberson19
50%
50%
CathyRoberson19,
User Rank: Apprentice
10/27/2016 | 2:57:40 AM
Great,
Great points you made, thanks for the tips. This is an easy way to learn about unknown stuffs and know what they do thereby creating a relationship. I love these stuffs that relates to my topic of one's writing or general good points are great way to go.

essayservices.org
CathyRoberson19
50%
50%
CathyRoberson19,
User Rank: Apprentice
10/27/2016 | 2:58:32 AM
Great,
Great points you made, thanks for the tips. This is an easy way to learn about unknown stuffs and know what they do thereby creating a relationship. I love these stuffs that relates to my topic of one's writing or general good points are great way to go.

essayservices .org
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8291
PUBLISHED: 2021-10-18
A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.
CVE-2021-21796
PUBLISHED: 2021-10-18
An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code executio...
CVE-2021-21797
PUBLISHED: 2021-10-18
An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead t...
CVE-2021-22942
PUBLISHED: 2021-10-18
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
CVE-2021-22961
PUBLISHED: 2021-10-18
A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution.