Drowning in data: More than a quarter of security alerts are false positives

News by Mark Mayne

Better data, not more data required. in some cases security monitoring tools are producing more than 50 percent false positives according to new research

Organisations are operating increasingly complex networks with widening ranges of tools to monitor them, which are producing large percentages of false positives - up to more than half of the total alerts in some cases, with the average false positive rate at just over a quarter.

According to new research, more than two-fifths (43 percent) of organisations experience false-positive alerts in more than 20 percent of cases, while 15 percent reported more than half of their security alerts are false-positives. On average, respondents indicated 26 percent of alerts fielded by their organisation are false positives.

Rodney Joffe, senior vice president, senior technologist and fellow, Neustar, told SC Media UK: “False positives are a recurring challenge across the cyber-security industry and result in a significant burden for security teams. With cyber-security professionals reporting that over a quarter of alerts are, in fact, false positives, it’s clear more needs to be done to equip those in key roles with the correct tools and processes to correctly decipher large amounts of data.”

Part of the challenge identified by the researchers is that as enterprises are investing significant resources in network monitoring and threat intelligence technologies, the complexity of networks increases. Researchers found that two fifths of organisations have seven or more tools in place to generate security alerts and 21 percent are using more than ten.

“While it’s encouraging that more companies are investing in detection tools than ever before – two fifths have seven or more tools in place that generate alerts according to our research – ensuring that these potential threats can be contextualised quickly is a fundamental next step. This is why curated threat data is key, providing teams with the ability to separate the real threats from the false ones in a timely manner”, continued Joffe. 

“This, coupled with implementing a zero trust model to constantly analyse and provide feedback on data to understand and refine detection processes, ultimately reduces the risk of information overload and the burnout associated with false positives.”

The latest Neustar International Security Council report indicates that threats are continuing their steady upward trajectory across vectors, with the International Cyber Benchmarks Index, an overall measure of the cyber-security landscape, reaching a new high of 29.8 in January 2020.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews