Cyber security teams are under tremendous pressure to safeguard their IT infrastructure and business data against the escalating threat of breaches. Even as organizations increasingly look to automated security tools to deal with threats, the downside to these cannot be ignored—for they generate a high number of false positives.
A false positive is a false or erroneous alert that is generated and categorized as malicious even when the underlying activity is just a minor spike from the normal, or a minor deviation. A January 2015 Ponemon Institute report stated that enterprises spend $1.3 million a year dealing with false positive alerts, which translates into around 21,000 hours of wasted time. The study, which surveyed more than 600 IT security enterprises in the US, found that organizations receive around 17,000 malware alerts on a weekly basis, of which only 19% are worthy of attention.
This high occurrence of false positives has a huge financial impact on organizations. Every alert generated by a security solution is studied and analyzed to verify the possibility of a breach. A high number of false positives means that valuable time is expended on chasing and eliminating false alarms, since dealing with a false positive is preferable to the risk of an undetected threat. However, these are person-hours that can be better spent on real intrusions.
Another potential risk is that real threats could be overlooked in the process. Repeated false positives can cause a false sense of complacency in the security team, which assumes that an alert that has been seen before is ‘false’, and thus risks ignoring legitimate threats. Additionally, a rule that generates many false alerts could be ignored or deactivated, leading to the danger of vulnerabilities around that rule creeping in.
The issue of false positives is compounded by the fact that security solutions lack business context and hence often produce alerts even when the underlying behaviors is normal or expected under certain business conditions.
So, now that we have established the high cost of false positives to an organization, what measures can be taken to reduce them?
The use of SIEM systems offers yet another solution to this dilemma of false positives. Integrating advanced analytics with SIEM systems builds intelligent security solutions, helping prioritize alerts and increase the probability of true threat detection.
ABOUT HAPPIEST MINDS
Happiest Minds enables Digital Transformation for enterprises and technology providers by delivering seamless customer experience, business efficiency and actionable insights through an integrated set of disruptive technologies: big data analytics, internet of things, mobility, cloud, security, unified communications, etc...