Thanks to technologies such as intrusion detection systems, services such as threat intelligence and other emerging sources of information, security programs today are gathering unprecedented amounts of data about threats and attacks.
This can help strengthen the security posture of organizations in a big way, by giving them a head’s up on the latest threats. But unfortunately it can also add to the nagging and costly problem of false positives — normal or expected behaviors that are identified as anomalous or malicious.
False positives are a problem not only because they take up manpower and time to address, but also because they can distract companies from dealing with legitimate security alerts.
According to a 2015 report by research firm Enterprise Management Associates (EMA), entitled “Data-Driven Security Reloaded,” half of the more than 200 IT administrators and security surveyed said too many false positives are keeping them from being confident on breach detection.
When asked for the key value drivers for advanced analytics software, about 30 percent of the organizations surveyed cited reduced false positives.
“False positives have always been a problem with security tools, but as we add more layers to our security defenses, the cumulative impact of these false positives is growing,” says Paul Cotter, security infrastructure architect at business and technology consulting firm West Monroe Partners.
The most common false positives exist in products such as network intrusion detection/prevention, endpoint protection platforms and endpoint detection and response tools, says Lawrence Pingree, research director for security technologies at Gartner.
“Each of these solutions use a variety of techniques to detect attacks such as signature patterns, behavioral detections etc.,” Pingree says. “False positives are a problem because the nature of trying to detect bad behaviors sometimes overlaps with indication of good behavior.”
A good example of how false positives can have an impact is the Target data breach, “where the technology used to monitor intrusions provided multiple alerts on different occasions regarding suspicious activities,” says Pritesh Parekh, CISO at Zuora, a billing platform for subscription services such as Netflix.
“The alerts were buried in hundreds of false positives and became deprioritized on the list of security items, resulting in a major data breach,” Parekh says.
There is a fine balance that security professionals need to strike to address the issue, Cotter says. On the one hand, they need to ensure that a tool does not interfere with daily operations and does not generate additional work for the organization. But on the other hand, they have to recognize that a single false negative (for example, an undetected intrusion) can have a far greater impact on the organization as a whole than many false positives.