False positives are a symptom of a problem, not the cause
Security “alert fatigue” is a real problem. According to a recent SANS Institute report, alert fatigue is one of the biggest barriers to retaining maximum security talent.
Many of the most common security tools, including security incident and event management tools (SIEMs) and intruder detection systems (IDS), are notoriously “noisy,” recording numerous false positives that researchers at security should investigate later.
The prevalence of false positives can mean that actual detections are overlooked or lost due to lack of time and resources.
Of course, false positives are a real problem, as they exhaust already strict security resources. But false positives are a symptom of a problem, not the cause. So what is at the root of the alert problem? And what can be done to correct it?
It’s no secret that IT environments are becoming more complex every day. Multiple cloud environments and hybrid clouds increase agility, but hinder the unified view of activity in the environment.
Remote workers introduce new devices that may be poorly managed or not managed at all. The introduction of 5G and advances in smart devices mean that more and more systems are being based and connected to network resources, and these devices may not be at all manageable through traditional means.
All of these interconnected systems contribute to “noise,” a challenge exacerbated by the fact that, using many traditional security tools, it is very difficult to correlate the behavior of these different environments and device types if access to this data is possible.
In security, the speed and fidelity of the data are essential. Security analysts need real-time information about what’s going on in their environment, but they often have a hard time getting a full picture. This is because the data on which many tools have traditionally been based, including SIEM, are incomplete.
SIEM tools are essentially log data aggregators. They collect records of the entire infrastructure and then trigger alerts, usually out of context, for security teams to try to sort and prioritize. This challenge is accompanied by the fact that the record itself is almost always incomplete. Most organizations do not have registry enabled for every part of the infrastructure.
The most common attack patterns take advantage of things like DNS, which is almost impossible to register, leaving significant gaps in visibility. It can also be difficult to add new data feeds to SIEM products and easily track existing feeds.
As a result, alerts issued by most SIEM tools are based only on a snapshot of data, making it difficult to determine false alerts and leaving security teams examining (and ignoring too often) thousands of incidents of potential security. And it’s not just SIEM. Firewalls and antivirus software usually obtain their information from SIEM, which causes similar data quality issues.
But it’s not just data quality that is the source of false positives. It is also the static nature of many common security tools. Historically, SIEM products require a lot of work to set up and use, and the records on which they are based are also manually configured and not personally adapted.
Like SIEM, IDS and firewalls must be manually configured to detect threat activity based on rules and signatures. While this is important for detecting known malicious behavior, it can also end up repeatedly and insistently alerting you to normal behavior for a particular environment, even though previously unidentified malicious behavior patterns are completely missing.
Endpoint protection platforms and antivirus tools only provide visibility into devices that can be instrumented, and while the vast majority of data center endpoints can be managed in this way, populations that exploit IoT devices and OT no. Even for devices that can be managed using these tools, instrumenting them with the right agent usually requires a manual process.
Respond to alerts that matter
Old technologies like IDS have given network security a bad reputation, but networking is incredibly valuable when it comes to detecting and responding.
Advances in machine learning (ML) and behavior analysis have made it possible not only to analyze network traffic, but to obtain high-fidelity detection that keeps teams focused on the most important threats, rather than chasing them. false positives.
By analyzing network traffic based on the complexity of the abnormal behavior, the probability of a problem, and the frequency, the risk of an alert can be scored. This system scores low, medium, and high scores to statistically determine alert risk, which means security teams can recoup the time they spend investigating false positives.
Behavior-based and ML detections also have the advantage of being able to detect unknown attack vectors because they do not depend on signatures, such as IDS and SIEM tools. They are able to detect IOCs that have not been widely identified by using ML to create predictive behavior profiles.
Behavior-based detection provides teams with the most conclusive information about security events and provides forensic-level evidence that teams can use to understand and report the extent of the incident.
The network also has a significant advantage over other data sets. Unlike logs, which can be deleted, or agents, which can be detected and disabled by threatening actors, the network is passive and out of band.
With more advanced threats and complex environments, security teams need to increase visibility, alert context, and have the ability to respond quickly to legitimate threats. The network eliminates conjecture and means that security teams can focus their efforts on threats that need more investigation or intervention, rather than low-level false positives.
Clearing the queue in an efficient way, based on real-time analytics, leads to happier SOC analysts and ultimately better security for the organization. Behavior-based detection is the anecdote for security team alert fatigue.