For every security event, analysts are faced with a difficult choice: devote resources towards their pursuit or not? Although it may seem wise to be better safe than sorry, investigating false positives is expensive both financially and in terms of people hours spent assessing security events and fine-tuning detection tools (WAF, IDS, etc.).
The Threat of False Positives
Take this common scenario: Your system identifies a threat and the team decides to look into it, only to later determine that it was a false alarm. In and of itself, this incident may not be a big deal. But all of these false positives add up, eating away at your team’s productivity.
The average company investigates 29% of all malware alerts. Around 40% are false positives. This means there was never actually a threat. Rather, some small deviation from normal system patterns was falsely flagged as trouble. Since most companies deal with thousands of threats every week, this 40% false positive rate acts as a major drain on company resources. This forces companies to spend an average of $1.27 million annually and 395 hours per week chasing down false positives. And this is on top of the time spent adjusting the detection tools responsible for filtering out false positives in the first place – leading to an endless and unproductive cycle.
The Hidden Costs
Although $1.27 million is a hefty price tag for time wasted, the true cost is even greater. Think about it: Every moment your team spends chasing down a false positive is a moment that they’re not addressing actual security concerns or at the very least, fine-tuning the detection tools that are in place to filter out these cyber security red herrings.
An overabundance of false positives may also have cultural implications. They may create a sense of complacency within your IT team. After all, if the event is probably not a threat, what reason do team members have to be alert and diligent in their investigations? This could potentially compromise your team’s ability to deal effectively with the real thing.
How to Combat the Problem of False Positives
If your organization feels ill-prepared when it comes to differentiating true positives from false threats, you’re not alone. Ponemon found that only 39% of organizations rate their ability to detect threats as “highly effective.” But there are steps you can take to improve your ability to detect the real threats.
It all comes down to your security analysts’ abilities. An unskilled, inexperienced security analyst will waste time chasing shiny objects, unable to differentiate a real threat from a false alarm. To avoid the costs associated with an unnecessary goose chase, your organization needs input from experienced security analysts. These analysts – like those in the Armor SOC – know from extensive experience which threats are the real thing and which ones just aren’t a problem.
You don’t need to waste time and money on false positives. With the right people working with you, it’s possible to reduce the number of false positives without compromising your organization’s security posture.