<p>No cybersecurity team wants to detect a malicious attack and then purposefully ignore it. But alert fatigue caused by too many false positives can lead them into that trap.</p>
<p>Every cybersecurity tool designed to detect attacks makes mistakes. For decades, researchers and vendors have struggled to find ways to improve <a href=”https://www.techtarget.com/searchsecurity/definition/threat-detection-and-response-TDR”>threat detection</a> accuracy without degrading performance.</p>
<p>Attack detection is a constant balancing act between false negatives — when a tool fails to detect a real attack — and false positives — when a tool incorrectly identifies benign activity as an attack. Techniques that reduce false negatives tend to increase false positives. Get out of balance, and the false negatives can degrade security team operations.</p>
<p>Cybersecurity technologies that might generate false positives for attack detection include antimalware, <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users”>antiphishing</a>, security information and event management, intrusion detection and intrusion prevention systems, data loss prevention, firewalls, and endpoint detection and response.</p>
<p>CISOs should understand the prevalence of false positives across cybersecurity tools. With this knowledge, they can set a strategy for how security teams reduce those alerts while still recognizing authentic threats. Best practices, such as tuning thresholds to match expected operations within the IT ecosystem, make a big difference.</p>
<section class=”section main-article-chapter” data-menu-title=”Why we see more false positives”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Why we see more false positives</h2>
<p>Given the <a href=”https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them”>variety and complexity of attacks</a>, false positives are inevitable. Relatively few attacks are immediately and conclusively recognizable as malicious. Exploit kits and other attacker tools have made it quick and easy for anyone to generate customized, unique attacks. While tools can identify characteristics of common attack types, the <a href=”https://www.techtarget.com/searchsecurity/tip/How-AI-malware-works-and-how-to-defend-against-it”>infusion of AI into attackers’ toolkits</a> has greatly increased the customization of attacks.</p>
<p>With attacks more difficult to detect, most tools now produce more false positives and fewer false negatives. The true danger is an undetected cybersecurity breach, so security teams prioritize minimizing false negatives.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How false positives impede security teams”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How false positives impede security teams</h2>
<p>False positives can be a significant drain on cybersecurity resources, requiring time and effort to analyze each one before dismissing it. When false positives are too common, they divert analysts from real threats.</p>
<p>In some tools, real and false positives automatically trigger actions to stop the observed activity. When this occurs without a true threat, it can damage the security program’s credibility.</p>
<p>Analysts tend to ignore false positives that occur frequently over time. It’s natural to assume that an alert that was harmless in the past can be safely disregarded in the future. Next time, however, that assumed false positive could be a legitimate cyberattack.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to reduce false positives”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to reduce false positives</h2>
<p>Don’t try to eliminate false positives entirely. Even if it were possible, it would significantly increase false negatives. To reduce false positives as much as reasonable, update detection tools, layer capabilities for the best performance and fine-tune alert thresholds.</p>
<h3>Patch and update tools</h3>
<p>Security operations should maintain the latest patches and updates for attack detection technologies. To improve accuracy, those technologies must use near-real-time <a href=”https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds”>cybersecurity threat intelligence feeds</a>.</p>
<h3>Focus tools where they’re most accurate</h3>
<p>Deploy layers of attack detection technologies using different detection and analysis methodologies. For example,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: