False-positive alerts may expose organizations to data breaches instead of protecting them from real cybersecurity threats.
Information security teams waste time and effort tracking false positives—time that could be devoted to fighting actual threats.
In 2016, less than 20 percent of the 17,000 malware alerts organizations receive weekly were seen as reliable, according to a Ponemon Institute report on malware detection and prevention. But organizations spend $1.3 million, or 21,000 hours of time, investigating these false alarms nonetheless. To show this problem is not going away, in a more recent study by IDC, 37 percent of those surveyed said they dealt with 10,000 or more alerts every month—52 percent of which were false positives.
Managed security services providers (MSSPs) typically respond to 10 or more alerts each day, at least half of which are usually false positives, according to the results of an Advanced Threat Analytics (ATA) survey published in Infosecurity magazine. The survey revealed the extent to which MSSPs waste hours of time on false alerts. Each alert takes 10 minutes or more to investigate.
Unable or willing to keep up, companies are succumbing to alert overload. Almost 40 percent of the respondents to the ATA survey reported that they ignore certain types of alerts altogether.
Of course, by ignoring alerts, organizations could miss actual cybersecurity threats. According to Pritesh Parekh, CISO at Zuora, who spoke to CIO magazine for an article on how security tools’ effectiveness is hampered by false positives, alerts that may have prevented the Target data breach were “buried in hundreds of false positives and became deprioritized on the list of security items, resulting in a major data breach.”
Each new security measure organizations implement gives their information security teams more alerts to review. False positives typically come from defenses like network intrusion detection/prevention, endpoint protection platforms, and endpoint detection and response tools, CIO reported. They occur when harmless activity is marked as dangerous.
False positives are the most significant “hidden” cost of endpoint protection. Organizations have an average of seven agents per endpoint, all of which require monitoring, according to a Ponemon Institute study on endpoint security risk.
False positives often result from triggered rules, some of which can prompt thousands of alerts. A blog post on threat mitigation and the problem of false positives from LookingGlass Cyber Solutions, a provider of threat intelligence platforms and network-based threat response products, elaborates on the problem. The blog’s author identifies fatigued security personnel and technology that doesn’t recognize real cybersecurity threats correctly as the primary causes of false positives.
Hiring more workers isn’t a sustainable solution, according to ATA’s research on how MSSP incident responders are overwhelmed by false-positive security alerts. Nor is disabling security features or alerts to reduce the number of alerts an answer, because real threats could go unnoticed.
“The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated," ATA president Alin Srivastava stated in a release announcing the research.
"When analysts are no longer bogged down in an unmanageable number of alerts, they can focus on what they were hired to do—mitigate risk by identifying true threats and responding quickly,” stated Srivastava.
Advanced analytics software can reduce false positives by developing an understanding of normal behavior and filtering out routine events accordingly. Software is also capable of automatically blocking threats such as malicious URLs.
With the proper technology, processes, and people, organizations can reduce false-positive cybersecurity alerts and devote their time and attention to protecting against real threats, as they should to prevent data breaches.