Solved: A Dramatic Reduction in False Positives and False Negatives
The efficiency of any network security strategy depends on having accurate and complete visibility into what’s going on. As part of this process, SOC analysts need to investigate security alerts as these warning messages are, in theory, clear signs of a security incident.
That’s not always the case, though. On the one hand, many alerts are “false” in nature and thereby burden security analysts with pointless investigations. On the other hand, some security incidents never generate an alert at all and fly under the radar.
We need to defend against both situations referenced above if we want to prevent them from weakening our network security. Towards this end, in this post I’ll describe two types of false events – false positives and false negatives – and explore why these issues matter for our network security. We’ll finish up by talking through some ways that you can manage both types.
What Are False Positives?
A false positive occurs when a security control identifies a file, network activity, website or other activity as malicious – a positive detection – when it does not pose a threat. Hence, the term “false positive”.
One source of false positives is network traffic analysis (NTA) tools that use only unsupervised machine learning to profile the network. Unsupervised machine learning organizes data into groups that it considers to be similar in some way. Larger clusters of similar data are considered normal and smaller ones that are different from the rest of the data (outliers) are considered anomalies. However, since not all threats are anomalies and not all anomalies are threats, NTA tools tend to trigger lots of false positives.
False positives are perhaps even more common with antivirus (AV) software and intrusion detection and prevention systems (IDPS) that use a collection of broad rules and signatures to detect threats. These tools have no contextual data (such as host behavior patterns, business criticality of assets, and user behaviors on the network) to distinguish between real threats and false positives. As a result, AV and IDPS often generate high volumes of false positives and very low-level alerts.
In its whitepaper, “False Positives: The Cure is Worse than the Disease,” Lastline found that false positives are the most prevalent factor behind the growing number of security alerts now confronting organizations. This flood of false positives results in security analysts wasting their time on fruitless investigations.
And this effort is taking a significant amount of time. A report from the Ponemon Institute found that the average security analyst loses a quarter of work time to false positives. When broadened out to the entire security team or SOC, organizations might be losing the equivalent of several team members who could otherwise be investigating actual security incidents.
The ultimate impact of the large volume of false positives received by any security team is alert fatigue that results in either ignoring a significant number of alerts (see our blog post on this issue), or rushed investigations that risk missing real threats. Both scenarios result in increased risk to the organization.
Rishi Bhargava, co-founder and VP of marketing for Demisto, said it well when he explained this reality for Security Now:
“Even if staff members can evaluate an average of 12 alerts per hour -— which does not provide sufficient time for a thorough analysis —- each team member would be able to review fewer than 100 alerts per day. After weeks or months of facing a mountain of alerts that they cannot possibly clear, staff members may become desensitized to alarms, leading them to overlook alerts on legitimate threats.”
What Are False Negatives?
False negatives are a bigger concern than false positives because they result in real threats going undetected. Instead of receiving an alert for something that turns out to be a security issue, organizations receive no alert for something that does in fact pose a threat to their security. In other words, when something is analyzed, it’s deemed to not be a threat – a negative assessment – and is released, even though it’s malicious.
False negatives are especially prevalent in email. In Q3 2019, for instance, Mimecast found that 28,783,892 spam emails, 28,808 malware attachments and 28,726 dangerous files types borne by email all evaded email defenses and successfully arrived in users’ inboxes. This constituted a false negative rate of 11 percent for all emails inspected during the quarter.
IDPS and AV tools that rely heavily on signature and reputation simply cannot keep up with the high volume of dynamically changing malware-based attacks. This happens since criminals can easily update malware to create a new signature, and change IP addresses to defeat reputation rules. In a 2019 study, Lastline found that two-thirds of malware samples had never been reported to VirusTotal.
Needless to say, false negatives are no laughing matter. These non-alerts serve as the source of numerous security incidents. Indeed, more than a quarter (27.7 percent) of respondents to a Cloud Security Alliance survey said they had experienced a security incident that didn’t generate any alert at all.
The result is a threat left to do what it’s designed to do, operating freely within your operations.
How to Reduce False Positives and Negatives
There’s hope yet. In the fight against false positives and false negatives, the first step is to realize that ignoring certain security alerts isn’t the answer and that better security technology is needed to automate accurate threat detection.
Lastline’s network detection and response (NDR) uses both unsupervised machine and supervised machine learning to distinguish between malicious and benign activity. Supervised learning can distinguish between good and bad with its ability to accurately classify data.
When activity is deemed malicious, Lastline’s NDR provides relevant context so that your security team can act on the breach right away, including:
- Traffic crossing your perimeter and moving laterally in your network
- The extent and duration of every event
- All attack stages
- Compromised systems
- Communication between local and external systems
- Data sets accessed and harvested.
As for false negatives, the way to decrease them is simply to do a better job of detecting real threats. Lastline’s Global Threat Intelligence is updated and shared as soon as a user detects a new threat. Often threat detection requires looking beyond signatures and reputation and looking at the actual malicious behaviors engineering into a file. Lastline uses Artifact Analysis to reveal unique file behaviors such as activity observed when executing programs, opening documents, unpacking archives and rendering web content.
Lastly, it’s essential to monitor all network traffic, both north/south and east/west traffic, to avoid missing threats. Effective cybersecurity starts with the premise that some threats will get through IDPS and other tools focused on north/south traffic and considers detecting lateral movement with NTA as an essential capability.
The ideal NDR solution for reducing false positives and false negatives uses a combination of technologies including NTA, IDPS, Artifact Analysis, and global threat intelligence, all powered by AI in order to accurately analyze large volumes of network traffic.
Learn how Lastline’s NDR uses these technologies to reduce thousands of alerts down to a handful of real intrusions.
Latest posts by Teresa Wingfield (see all)
- SANS 2019 Threat Hunting Survey Shows SOCs Relying Too Much on SIEM Alerts - December 16, 2019
- Solved:A Dramatic Reduction in False Positives and False Negatives - November 25, 2019
- Zero-Day Attacks: You Can’t Always Prevent Them, But You Can Detect Them - November 21, 2019