The true cost of false positives

Implement a structured response with automated systems to bring down the cost of chasing false positives says Brian Foster.

The true cost of false positives
The true cost of false positives

One of the toughest tasks for any IT security team is managing the high volume of security alerts that deluge them on a daily basis. And the odds seem stacked against them.

On one side are the hackers, with access to infinite time and resources. On the other, the security teams, limited in both staffing and budget, evaluating which security alerts should be investigated. With the severity and frequency of attacks growing, it calls for a re-think on how to sift out the real threats from tens of thousands of false alarms.

The stakes surrounding the decisions on which alerts to investigate are high; get it wrong and you risk closing down devices and therefore incurring business downtime for no reason. Conversely, failing to detect an active infection, and any consequent data breach, can have far more serious ramifications.   

The figures make for sobering reading: an organisation in a typical week can receive an average of 17,000 alerts. Security teams simply don't have the resources, time or manpower to chase down every alert. And manually corroborating evidence takes time. It means that if teams are ever going to get the edge over the attackers, there needs to be a more systemised, policy-driven and automated response mechanism to threat detection.

To put the impact of this challenge into context, we only have to look at the financial cost of chasing down erroneous alerts. A recent report from the Ponemon Institute revealed that organisations can spend 395 man hours a week – which equates to a cost of £860,000 a year – chasing false positives and false negatives. This means that not only are security teams consumed by activity which poses no threat to their data security, but they are also distracted from dealing with threats that can lead to compromise. At the same time, advanced threats are slipping through the net and lingering undetected. It prompts the question: what measures can be put in place to help teams make the best use of their resources and weed out the true infections from false positive malware alerts?


Targeting the ‘true positives'

·         Automated malware detection

With skilled manpower in finite supply, it's a case of allocating your resources effectively. A critical component of this is to automate what you can. In today's rapidly evolving threat landscape, we simply can't rely on intensely manual activities for threat detection or intelligence gathering.  Technology that helps organisations to automatically detect an infection hidden in the network eliminates the risk of human error, removes labour-intensive activities and can also significantly reduce the response time.  In fact those that have such tools in place reported that an average of 60 percent of malware containment does not require any human input or intervention.

·         Implement a structured response

Additionally, organisations need to develop and implement a framework for dealing with threats, ideally with one person or function overseeing the process. The emphasis needs to be on building a forward-thinking breach readiness strategy, rather than an ad-hoc approach to containment. A structured approach that incorporates automated tools can help to make the best use of manpower. 

          Is your intel intelligent?

An effective threat response process falls down if it's based on unreliable evidence. It's important to remember that, on its own, an alert is simply an uncorroborated artefact from system log data. In much the same way that the prosecution and defence lawyers in a court of law must prove their claims ‘beyond all reasonable doubt', corroborating evidence is needed to prove a ‘true positive' infection exists.

          Threat Intelligence Sources 

Finally organisations should assess where they obtain their threat intelligence. From Ponemon's research, 69 percent  of organisations use vendor-supplied information as their main source of threat intelligence while 64 percent use peer to peer communications. Government and law enforcement are rarely the source of intelligence. Yet, given the amount of time organisations spend chasing false negatives, it may be time to reconsider these sources. 

Expect the inevitable

The volume and severity of threats is increasing every year making it more important than ever to be equipped with the right intelligence to detect active infections swiftly. Using automated detection tools, implementing a response framework and corroborating evidence to hone in on the true positives can all help to ensure that organisations not only minimise their risk but also make the best use of their skilled teams' resources.     

Contributed by Brian Foster, CTO, Damballa