The Dangers of False Positives in Cybersecurity and how to avoid them

17 October 2022 | by Hannah Brice

It’s no secret that the cybersecurity landscape is becoming increasingly complex. With more devices, data, and users, there are more opportunities for bad actors to exploit vulnerabilities. As a result, organisations are placing greater emphasis on security and are investing more resources in detection and prevention tools such as firewalls, intrusion detection systems, intrusions prevention systems or end-point detection and response (EDR).

Your security team is always on high alert too, scanning for potential threats and vulnerabilities. But what happens when those potential threats turn out to be false positives? While a false positive may not seem like a big deal at first, they can actually have a negative impact on your team’s ability to identify and respond to real threats. Here’s what you need to know about false positives and why they’re such a problem for security teams and SOC teams alike.

What is a False Positive?

A false positive is an alert that is generated when there is no actual threat. In other words, it’s a warning sign that turns out to be nothing more than a false alarm. For example, an intrusion detection system (IDS) may generate an alert when it detects suspicious activity on a network. But upon further investigation, the activity turns out to be harmless—a false positive. Often the result of incorrect settings or overzealous security software, they can be extremely frustrating for IT security teams who have to waste time investigating them. 

The Dangers of False Positives

While false positives may seem like harmless nuisances, they can actually have dangerous consequences for IT.

Firstly, there’s the time they waste.  To give you an idea of how common false positives are, research suggests that security teams can receive as many as 1,000 security alerts a day, ranging from poorly written detection software to unrecognised network traffic.  Moreover, an average of 80% of alerts raised are false positives. 

Every time a false positive is generated, your team has to stop what they’re doing to investigate it.   This not only takes them away from their other duties, but it also prevents them from focusing on more pressing issues. In fact, another study found that 75% of businesses spend as much, or more, time chasing false positives than they do dealing with actual security incidents.

Secondly, there’s the impact on morale. False positives can be extremely frustrating for IT security teams who are already working long hours.   Constantly being interrupted and pulled away from their work can lead to burnout and reduce productivity over time. In a recent survey, nearly 60% of respondents said that false positives had a negative impact on their job satisfaction.

Next, there’s the danger of alert fatigue. This is where it becomes harder for teams to distinguish between actual threats and false alarms as the number of false positives increases, and this can lead to them ignoring legitimate alerts or missing critical security incidents altogether.

Finally, there’s the financial cost. In addition to the time and resources that have to be devoted to investigating false positives, businesses can also incur significant financial losses as a result. One study estimates that the annual cost of false positives for businesses is $1.3 trillion.

So, how can CISOs and IT security teams reduce the number of false positives they’re seeing? 

How to reduce or avoid False Positives

Given the dangers of false positives, it’s important to take steps to avoid them. Here are some tips.

Firstly, use multiple detection tools. This will help to reduce the number of false positives, as each tool will have its own unique detection algorithm.  A combination of tools correlating information, such as an extended detection and response platform (XDR) should work. However, even the best XDRs on the market still have a high false positive rate.

You could also increase your visibility into network activity using a combination of activity monitoring, logging, and analytics tools to collect data from all different parts of the network. This should give you a picture of what’s going on and quickly weed out some false positives from actual threats. 

Alternatively, if you wish to simplify things and avoid blowing your budget on multiple tools, Lupovis is a fantastic option. Our high fidelity alerts mean we only notify our customers when there is a genuine threat, thereby eliminating alert fatigue. By placing deceptive decoys inside and outside our customers’ networks, they know as soon as a threat is in the vicinity. 

XDRs, EDRs, threat management platforms – whatever you use: their limited visibility and dependence on overstretched security teams mean breaches still occur and cause damage.  We provide real-time detection both inside and outside a customer’s network and respond instantaneously to the threat by ensuring they’re diverted away from valuable assets, buying security teams valuable time.

We also gather advanced threat intelligence, which encompasses all the interaction information of the intruder, to tell our customers how they can improve their security posture and allows us to create a map of attackers across the internet, to understand the threat landscape overall.

A second method of reducing false positives is to regularly review and update the settings on your security information and event management (SIEM) and EDR toolings to ensure that they’re properly tuned to your environment.  Incorrect settings can often lead to false positives, so it’s important to get them right.

You could even create custom rules, filters and playbooks for your security tools, as the out-of-the-box rules that come with detection tools aren’t always accurate. Or, if you’re seeing a lot of false positives from a particular security vendor, reach out to them and let them know. They may be able to provide you with updated rules or settings that will help to reduce the number of false positives.

Next, use human intelligence. Sometimes humans are better at identifying threats than machines. Security analysts can help to review alerts and investigate potential threats for you.

And, in case all else fails, make sure you have a clear process in place for dealing with false positives. This will help to ensure that they’re dealt with quickly and efficiently, without disrupting the work of your team.

What difference can you see by eliminating false positives?

In other words, why bother? The methods above seem complicated, right? Lupovis is simple, but the other options can be complicated and costly. There are real benefits to making the effort to reduce your false positives, though.

The main upside? You would be able to allocate your team’s time and resources more effectively, as they would no longer be wasting time investigating false positives. This would free up your team to focus on more important tasks, such as identifying and responding to actual threats.

This in turn would mean you can improve your organisation’s overall security posture. By only investigating actual threats, your team can better understand the types of threats you’re facing and how to best defend against them. This increased understanding can help you to better allocate your resources and make your organisation more resilient to attacks.

In conclusion, false positives are a major problem in cybersecurity – one that is only going to get worse as the landscape becomes more complex. CISOs and IT security teams need to be aware of the dangers of false positives and take steps to address them. Otherwise, they run the risk of wasting time and resources chasing ghosts instead of protecting their organisations from real threats. 

17 October 2022 | by Hannah Brice

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.