How Automation Can Quell Those Pesky False Positives
By Steve Salinas, Director of Product Marketing, Siemplify
As a newly hired cybersecurity analyst, you’re excited to start vanquishing threats and thwarting bad guys in their tracks. You’re armed with the latest shiny security tools and raring to go – those hackers don’t stand a chance.
Unfortunately, nobody told you that at least half the alerts (or more) you will address will be false alarms. Commonly termed “false positives,” they will bog you down for 30 minutes (if you’re fast), shamelessly wasting your time and skills. Recent numbers from a Ponemon Institute study are downright depressing for today’s analysts: Organizations typically get about 17,000 alerts per week, with 80 percent being false positives. A similar Ponemon report cited forty-nine percent of businesses report false positives as a top challenge.
Faced with an overwhelming volume of alerts and the draining reality of false alarms at the SOC (Security Operations Center), you begin to wear down. Just like the jaded townspeople in the story of the boy who cried wolf, you become apathetic and start turning a blind eye. Similar to 31.9 percent of your security colleagues, you begin to ignore alerts due to the high number of false positives.
And that’s how we get here: Of the typical 17,000 alerts received per week, only 4 percent ever get investigated. Ouch. Cyber wolves everywhere lick their virtual chops at these numbers as the odds of slipping real threats past overwhelmed, alert-fatigued defenses become quite favorable.
Misconfigured detection tools are to blame for triggering many of the false positives, and with the growing security stack and increasing complexity of current defense technology, this trend doesn’t appear to be slowing. Expanding cloud and Internet of Things (IoT) adoption is only expanding the attack surface and encouraging organizations to invest in more security tools.
Where does all this leave worn-out analysts and overloaded security operations centers? In desperate need of an ally. Thankfully machine-learning enabled automation is emerging as a method to streamline alert handling.
Context is a critical factor in identifying and confirming the validity of threats. Data drives these contextual relationships, and automation excels collecting, organizing and correlating data in real-time. It leverages the data necessary to identify contextually related alerts, cross-references case details from multiple systems, spots trends, prioritize cases and drives faster response.
Manual workflows can’t process or analyze data fast enough to keep pace with evolving threat landscapes or deliver at scale. Besides, humans are notoriously awful at following a consistent standard. Programmed cognitive automation removes the “people risk” by adhering to a regular, repeatable standard when managing and analyzing data.
Automation shrinks the pool of alerts by swiftly weeding the potentially malicious from the benign. Machine learning quickly recognizes the familiar “seen-before” alerts as false positives and removes them from the queue. The smaller number of “not-seen-before” alerts can then be passed on for further investigation.
This validation works a massive glut of alerts down to a manageable number for human examination. With the assistance of the right automation tools, cases can be reduced up to 80 percent. Automated triage saves time, and lets humans utilize superior cognition for higher-level tasks, rather than burn out on the mind-numbing process of examining each alert.
Allows Transparency and Drive Learning
Automation also precisely records workflows, which permits a deeper investigation of false positives. Why did each one occur? How can a recurrence be prevented? If controls are too sensitive, what should the readjustment be?
From this insight, databases of knowledge can be compiled to feed artificial intelligence systems, build out playbooks and teach future analysts, foregoing the need to retain so-called tribal knowledge and manual processes to triage, investigate and respond to incidents. In fact, automation’s most profound contribution may be its ability to allow examination of today’s misfires to create the information necessary to prevent tomorrow’s.
Don’t Overlook the Benefits of False Positives
The benefits of false positives? Sounds funny, right? We just finished discussing all the adverse effects false positives can have on an organization, and, yet, eliminating them may not be the best course of action. False positives do provide a valuable service as they can be a useful guideline for monitoring sensitivity control.
An optimal defense threshold is high enough to detect real threats yet low enough not to trigger too many false positives. If your organization is recording zero false positives, you’re most likely missing something. The best strategy is having a few false positives, with automation in place, to help create a stronger screening process moving forward.
Navigating the evolving threat landscape, while striking the perfect defense threshold balance, can be exceptionally challenging for today’s SOC (security operations center). Security automation leverages data in real-time, and with the capability, it provides to learn from mistakes, false positives will no longer be a debilitating hindrance but rather another tool for the defense.
About the Author
Steve Salinas is a 20-year veteran of the IT and cybersecurity industries. He is currently the director of product marketing at Siemplify, a leading independent SOAR provider. For more information, visit: https://www.siemplify.co or follow @Siemplify on Twitter.