With the threat of cyber-attacks continuing, organizations cannot afford to spend their valuable time chasing false security alerts. SOCs should devise ways that will help them to minimize the time chasing down false alerts.
Cyber-attacks are continuously advancing at an unprecedented pace. In fact, the enterprise industry has faced the highest number of attacks in the last two years alone than ever before. Meaning, it is crucial that they spend their valuable time and resources identifying and chasing attacks that can have a drastic impact on their infrastructure. However, recent studies have shown that security operations centers (SOC) are wasting their time as well as efforts chasing threats that are benign in the end.
As per Netsparker’s whitepaper titled “How Netsparker Generates Proof to Avoid False Positives”, SOCs end up wasting nearly 10,000 hours as well as US $500,000 annually to validate unreliable and incorrect vulnerability alerts. However, that is not the end of it.
Another research titled “Reaching the Tipping Point of Web Application and API Security” carried out by Enterprise Strategy Group (ESG) found organizations revealing an average of 53 alerts a day from their web apps and AP security solutions, of which 45% are false positives. The survey respondents revealed that false positives are having a negative impact on the security team operations.
As SOC”s main responsibility is to monitor security events, investigate and respond to time according to a timely manner, wasting hundreds or thousands of hours on alerts with no threat significance can hamper their ability to respond efficiently and effectively to real threats. Even though it is not possible to eliminate the false positives entirely, there are still a few steps that SOCs can take to reduce their time chasing them.
Concentrating on threats that matter
SOCs should understand that security tools can accumulate significant log data that is not necessarily relevant from a threat standpoint for their environment. In addition, they should take time to observe what a true compromise indicator looks like for their environment. Therefore, before configuring as well as tuning security alerts tools, SOCs should ensure to establish rules and behavior that provide alerts on threats that are relevant to their environment.
Not relying on base rate fallacy
Security practitioners often rely on their vendor’s claims about false-positive rates. While the vendor claims that the SOC tool has just a false positive rate of 1%, it does not mean the probability of true positive will be 99%. Therefore, it is crucial that the security provider has detection rules in place that are tuned to decrease false positives as well as automate the initial investigation alerts as much as possible. Also, SOCs should also resist the urge to feed more data than is required into their detection engines. Instead, they should ensure that they only have data required to process the detection rules while leaving the other data for automated enrichment afterward.
Hacking their own network
SOC analysts often become more frustrated when chasing low-impact security alerts than they are dealing with false positives. This occurs when the security teams seek to identify code hygiene issues that may or may not ever be exploitable in the production application rather than focusing on issues that have a material business impact. Therefore, instead of concentrating on theoretical threats and security incidents, organizations should conduct breach tests on their systems. This will allow them to verify if there are exploitable vulnerabilities that might exist and can be compromised. Conducting such tests and verification also enables them to build trust and credibility between DevOps and security operations teams.