False Positive vs False Negative Alerts in Cyber Security
We asked our LinkedIn audience in a recent survey, what MDR capabilities matter most? Over half said that false positive reduction was at the top of the list. For many, the amount of false positive alerts plaguing their team by their MDR/SIEM provider is overwhelming.
IT leaders know that some tools generate less false positive alerts than others, and often use this as criteria when searching for a better MDR solution. While we believe reducing false positives is important, what about the threats that don’t generate an alert in the MDR platform? We call these false negatives, the alerts that are valid, but don’t come through to an analyst or your team. Having a knowledge of what your provider is doing to solve both alert problems will give you a better idea of vendor competency.
What are False Positive Alerts?
False Positives are security alerts that indicate that there is a threat, when in reality there is none. 75% of companies spend an equal amount of time, or more, on false positives than on the actual attacks.
Mid-size businesses often lack the expertise, team and tools to review and prioritize an overwhelming volume of alerts produced by SIEM/MDR platforms, which results in missed alerts on real threats. Security On-Demand’s approach to this big data problem is to look holistically at the threat and data ecosystem to understand how application of different threat detection models reduce false positives.
Security On-Demand solves this core issue with its ThreatWatch platform, empowered by AQ Technology, that serves as the data access interface between the database(s) and threat models used by the application.
What are False Negative Alerts?
A False Negative occurs when the security system fails to identify an actual threat. Additionally, when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that your organization does not have in the MDR/SIEM platform.
This makes it simple for malicious parties to conceal attacks targeting your organization’s data.
These advanced, unknown threats are usually overlooked by rules-based tools (i.e. SIEM). Rules-based tools rely on IOCs, rules, and intel to search for known threats. For example, if there is an threat that does not meet an exact criteria, an alert will not be generated. However, an MDR platform enabled with Threat Analytics, is able to identify unknown threats and abnormal behaviors, and will generate alerts on suspicious activity that has never been seen.
Behavioral alerts are much more powerful because there are no rule set for each individual system. Rather they use a logging system where a behavior base is then identified and creates its own set of rules on who the user usually interacts with based on their own behavior.
How to Find False Positive and Negative Alerts Quickly
Security On-Demand’s ThreatWatch Managed Detection and Analytics service uses advanced threat analytics, machine learning, and our big data AQ engine, to find the unknown advanced threats that are typically false negatives in other platforms. Additionally, our analytics-enabled platform validates most of the alerts before it goes to the SOC Analyst for further validation, which gives our customers significantly less false positives, so you can focus on the alerts that matter most.
Implementing an advanced MDR tool, like ThreatWatch, will dramatically reduce the risk of false positives and false negatives in your system, which saves your team both time and money.
To learn more about how Security On-Demand’s ThreatWatch solution can benefit your organization, schedule a demo here.
About Security On-Demand
Security On-Demand (SOD) provides 24×7 advanced cyber-threat detection services for mid-market companies and state or local government agencies. SOD’s patented, behavioral analytics technology platform, ThreatWatch® enables the detection of advanced threats that help protect brand value and reduce the risk of a data breach. Headquartered in San Diego, California with R&D offices in Warsaw Poland, SOD services and protects hundreds of brands globally and is the winner of multiple industry awards. Please visit us at www.securityondemand.com. Find us on LinkedIn and follow us on Twitter @SecurityOnDmand.