INDUSTRY INSIGHT
BY NEELIMA RUSTAGI
7 ways to filter out
false cybersecurity alerts
MODERN ORGANIZATIONS
deal with a virtual tsunami of security alerts on a daily basis. In a recent survey,
10 percent of respondents said they handled more than 50,000 alerts every day, and approximately 33 percent reported that their daily total exceeded 1,000 alerts. A Ponemon Institute study found that 37 percent of respondents faced more than 10,000 daily alerts, with 52 percent of them being false positives.
False positives can cost an organization tens of thousands of wasted hours, which can easily add up
to hundreds of thousands or even millions of dol- lars. And the costs can be substantially higher if real threats are missed because staff members are forced to look for the proverbial needle in the haystack.
Reducing the number of false positives and efficient- ly handling the ones that are generated have become top priorities for many organizations. However, without an effective strat- egy, those two goals might as well be added to a wish list that never becomes a reality.
Here are seven tips to avoid that outcome.
1. Have a panel of secu- rity experts review each rule. The more “eyes” that examine a proposed rule
before it is added to the system, the less likely that rule will generate false positives.
2. Test the rules before committing to them. Silent testing will help de- termine whether the rules are generating false posi- tives without interfering with legitimate operations. When adding a blocking rule, for example, organiza-
is planning a national TV campaign that is expected to generate 500,000 hits within a few minutes of the ad’s airing. A rule might interpret the sudden burst of activity as a denial-of- service attack, and if it blocks traffic as a result, the money spent on the campaign could be wasted. 5. Be careful when writ- ing rules that rely on wild
7. Practice proactive hunting. According to a Bank of America analyst, there are almost 400 new threats per minute in the United States, and 70 percent of them go unde- tected. Instead of relying on information on known threats or signatures — which might not be dissem- inated until weeks or even months after they appear
As threats increase, eliminating false positives and developing new methods of handling them are increasingly critical.
tions should make sure that employees and customers are not denied legitimate access if their actions inadvertently trigger a false positive.
3. Run additional itera- tions of rules that trigger false positives. Strategies include modifying the rule or dividing it into multiple rules that have greater specificity and then con- tinuing to test each one as a silent rule until it returns no false positives.
4. Build relationships with other departments
to handle special situa- tions. For example, if an agency normally processes 1,000 hits per minute on its website, it’s important to know if the marketing team
cards, especially if the string contains commonly used words. One example would be a line of PHP code designed to protect against SQL injections. The code might contain words such as “select,” “from”
or “where.” If the rule is designed to block instances where those words appear, false positives will likely occur.
6. Automate incident response. Organizations should look for a platform that can handle many of the mundane tasks that are currently taking too much staff time so they can free analysts for more important tasks, including a thorough evaluation of false negatives.
— agencies should hunt for anomalies and suspicious behavior to limit exposure and mitigate damage.
As the volume of alerts continues to increase, eliminating false posi- tives and developing new methods of handling them will become increasingly critical. Although the task might seem overwhelm- ing, the right combination of strategy, personnel, automation and tools can help agencies save money while strengthening their defenses. •
— Neelima Rustagi is direc- tor of product management at Demisto.
GCN MARCH/APRIL 2017 • GCN.COM 27