For example, an investigator will examine a detected malicious event and then determine the likelihood that an activity is malicious. “Investigators must go through a variety of steps to determine maliciousness, for example examining whether or not data exfiltration occurred or whether the behavior looks like acceptable behavior when more closely examined,” Pingree says.
Most products provide greater detail to determine whether something looks like a false positive detection, Pingree says. An investigator might compare the detected event to that of known good samples of files, such as whitelists.
If the investigation is of a network-based alert, investigators might examine other data sources about IP address involved such as the domain name, or other maliciousness ratings capabilities such as IP reputation scores and malware scanning of the URL itself.
“Sometimes these scores are derived by examining past behavior or the inclusion of a particular URL or IP address in past attacks,” Pingree says. “There is some guesswork involved in this, however most of the time it is possible to determine whether something is more than likely a false positive versus a real threat by examining logs, packet captures or other user activities involved in the incident more closely.”
When configuring and tuning new security tools to reduce the number of false positives and ensure adequate coverage, organizations need to take an incremental and phased approach and have a thorough understanding of the environment they are protecting to make intelligent tuning decisions, Parekh says. “Tuning is an ongoing process that needs to account for changes in the environment,” he says.
Once tuning has limited the number of false positives, an organization should determine a process to take action on the remaining alerts based on risk. “This involves determining indicators of compromise that can be used to identify alerts that pose the most risk and addressing in a timely fashion,” Parekh says.
Occasional false positive investigations are not entirely sunk costs, Cotter adds. “These incidents can be seen as an opportunity to exercise the incident response plan, and identify areas of process improvement for future incorporation into the organization’s policies and procedures,” he says. “Also, it should be recognized that an occasional false positive is a good thing to keep people aware of how incident response must be handled, as well as help validate the operation of tools and continually fine-tune their configuration.”