Eliminating Cyber Security “False Positives” within the SOC

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Present day organizations must deal with a virtual hurricane of security alerts on a daily basis. In a recent survey, 10% of the SOC Team respondents reported that they dealt with more than 15,000 alerts every day and approximately 33%reported that their daily total exceeds 1,000 alerts. A study done by the Ponemon Institute found that 37%of the respondents faced more than 10,000 daily alerts, with 52% of them being false positives. False positives can cost an organization tens of thousands of wasted hours, which can easily be the equivalent of costing more than $1.25 million each year.

However, the costs of these alerts can be substantially more if real security threats are missed because staff members are overcome with frustration and in essence pushed into looking for a needle in the haystack. We all know that the majority of marketing today promises to solve all your problems if you only their product…

We’ve all heard it before, the point solution era is simple over and done with. Let it die gracefully. 

Compressing the number of false positives and efficiently handling the ones that are generated have become top priorities for many organizations. However, without a capable blueprint or playbook, these two goals might as well be added to a “wish list” that never becomes any part of reality. Here is helpful advice on how to slash the number of false positives inundating your staff, as well as perception on how to handle them in the most efficient and effective manner.

Have each playbook (we will soon open source) or scripts you team deploys with your SIEM’s reviewed by your teammates or industry wizards at www.IncidentResponse.com before adding it to your system. The more “eyes” examining the proposed playbook, script or configuration, the less likely it will generate false positives.Confirm the rules and configuration settings of your security stack as silent rules before committing them to final status. This allows you to determine whether the configurations are generating false positives without interfering with legitimate operations of the organization. For example, if you are adding a blocking rule within a playbook, you want to make sure that employees or management team are not denied legitimate access because their actions inadvertently triggered a false positive.Run additional iterations if the rule triggers false positives. Modify the rule or divide it into multiple rules having greater specificity. Keep testing as a silent rule until the rule returns no false positives.Build relationships with other departments so that you can develop rules or playbooks to handle special situations. For example, if your company’s website normally processes 1,000 hits per minute, you need to know if marketing plans a national television campaign that is expected to generate 500,000 hits within a few minutes of the ad’s airing; the sudden burst of activity could be interpreted by a rule as a denial-of-service attack, and if blocking resulted, the money spent on the campaign could be wasted.Be careful when writing rules or playbooks that rely on wildcards, especially if the string contains commonly used words. One example would be a line of PHP code designed to protect against SQL injections. The code may contain words such as “Select,” “From” or “Where.” If the playbook is designed to block instances where these words appear, false positives will likely occur.Automate your incident responseCyberSponse’s CyOps is the first enterprise platform for automating and consolidating your team’s incident response and security operation efforts. The platform handles many of the mundane tasks that are currently taking so much of your staff’s time and causing major burnout and turnover. This frees your analysts for more important tasks, including a thorough evaluation of false negatives and important events.Practice proactive hunting. According to an analyst with Bank of America, there are amongst 400 new threats events or types per minute in just the United States, and 70% of them go undetected. Instead of relying on information on known threats or signatures — which may not be disseminated for weeks or even months after a new threat appears, hence “zero day” — experienced Tier 3 SOC team members should hunt for anomalies and suspicious behavior to limit exposure and mitigate damages.

As the number of alerts continues to increase, erasing false positives and developing new methods and playbooks for handling them will become increasingly critical to any team’s survival. Although the effort of playbook development may seem overwhelming at first, the right combination of strategy, personnel, automation and tools can provide results that save your organization from high turnover, burnout, and large amount of time all while strengthening its defenses.

To learn more about building playbooks and automating your workload, schedule a demo today by clicking here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?