How False Positives can ruin your day - and how to stop them
False positives can seriously ruin your day, and can cost enterprises serious money. Highlighted by a recent example, we share some key tips on how to mitigate false alerts.
The world of ‘False Positives’ will be a familiar topic for many security pros, and especially IDS managers, but the repercussions can reach out and touch almost any part of a business. An everyday example cropped up over the weekend, when a commonplace signature update for Sophos anti-malware products included an unwanted addition.
The rogue malware signature caused the AV tool to flag winlogon.exe - part of the Windows Login subsystem, as a Trojan program called Troj/FarFli-CT. Inevitably, not allowing this to run resulted in trouble for some users. False Positives in AV tools used to be far more common, but the use of whitelisting for the most common software has generally reduced them, especially ones for core parts of the Windows system.
Sophos to be fair issued an update correcting the error within hours, and claimed that the issue only affected a 32-bit version of Windows 7 SP1 and not Windows XP, Vista, 8 or 10. Sophos Enterprise Console users will need to clear down several alerts to resolve the issue, according to a support article, which also downplayed the significance of the issue, stating: “Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases.”
In spite of the rebuff, Twitter users were less enthusiastic, in one case pointing out that “An email would have been nice. I cannot imagine the costly overtime $ and panicked IT staff like myself working on this.”
Research recently uncovered that false positive alerts as a whole had far wider impacts than just ruining a few IT support staffer’s weekends. Enterprises spend $1.3 million a year dealing with false positive cyber security alerts, which equals nearly 21,000 hours in wasted time. In a typical week, organizations receive an average of nearly 17,000 malware alerts; only 19 per cent are deemed reliable, according to research from the Ponemon Institute. The real problem is the causative one however - only a few false positive alerts are needed to drown out legitimate alerts. If a single analyst can review one alert every five minutes, the analyst can review around 100 alerts per day - but a single misbehaving rule can generate thousands of alerts in a short period of time.
Interestingly, in spite of these huge volumes of alerts, the research found that very few organisations (only 41 per cent) have automated automated tools that capture intelligence and evaluate the actual threat caused by malware, and shockingly 33 per cent of organizations revealed that they have an unstructured or “ad hoc” approach to the process of malware containment.
Using automated tools to detect malware or malicious activity on your network is of course a sensible plan, and in today’s threat landscape automating where possible is the only practical choice. Of course automation cuts response time significantly too, and can also ensure malware is contained without significant manual intervention. However, human input and/or intervention will always be required at some level, even with something as simple as a malware signature detection tool, as the Sophos example demonstrates. The best solutions will take a hybrid approach - like ImmuniWeb Web Security Platform - which will deliver the best blend of efficiency and cost-effectiveness. In fact, ImmuniWeb guarantees 100 per cent freedom from false positive vulnerability alerts through this process.
Human intervention is a double-edged sword though, and the most essential time/cost saving element of this is to have a robust internal framework dictating scope and escalations, etc, as well as a single point of responsibility. The latter can be an individual or a function in larger organisations, but it’s essential to ensure that clear lines of communication are established before an incident, rather than invented during one. A structured approach is also key to effectively using automated tools, thus maximising the effectiveness of manpower.
Another key question - and perhaps the most important - is to consider carefully the provenance of the alerts you’re responding (or indeed not responding) to. Anomalous behavior in one area of an organization may be acceptable, but highly suspect in another area. As an example, NBT traffic is normal in a Windows LAN environment but not generally expected on the Internet. On it’s own, an alert is simply an uncorroborated artefact from system log data, some corroborating evidence should be required before taking action.
It’s not just internally generated alerts that should be carefully considered also - according to Ponemon's research, 69 per cent of organisations use vendor-supplied information as their main source of threat intelligence while 64 per cent use peer to peer communications. However, government and law enforcement sources are rarely used as intelligence sources, for example.
Although using automated detection tools, implementing a response framework and corroborating evidence from a variety of sources will significantly mitigate time lost though false positives, it’s inevitable that a small number will occur. However, constantly refining this blend of techniques as the threat landscape evolves will minimise them, lowering your overall risk profile and maximising those scarce human resources.