Eliminating Cybersecurity “False Positives” Within Your SOC
Present-day organizations must deal with a virtual hurricane of security alerts on a daily basis. In a recent survey, 10% of the SOC Team respondents reported that they dealt with more than 15,000 alerts every day and approximately 33% reported that their daily total exceeds 1,000 alerts. A study done by the Ponemon Institute found that 37% of the respondents faced more than 10,000 daily alerts, with 52% of them being false positives. False positives can cost an organization tens of thousands of wasted hours, which can easily be the equivalent of costing more than $1.25 million each year.
However, the costs of these alerts can be substantially more if frustrated staffers miss real security threats. We’ve all heard it before: the point solution era is simple over and done with. Let it die gracefully!
Compressing the number of false positives and efficiently handling them are top priorities for many organizations. However, without a capable blueprint or playbook, you may as well add these goals to a “wish list” that never becomes reality. Here is helpful advice on how to slash the number of false positives inundating your staff.
How to eliminate “false positives” within your SOC
Have each playbook (we will soon open source) or scripts you team deploys with your SIEM’s reviewed by your teammates or industry wizards at www.IncidentResponse.com before adding it to your system. The more “eyes” examining the proposed playbook, script or configuration, the less likely it will generate false positives.
Confirm the rules and configuration settings of your security stack as silent rules before committing them to final status. This allows you to determine whether the configurations are generating false positives without interfering with legitimate operations of the organization. For example, if you are adding a blocking rule within a playbook, you want to make sure that employees or management team are not denied legitimate access because their actions inadvertently triggered a false positive.
Run additional iterations if the rule triggers false positives: Modify the rule or divide it into multiple rules having greater specificity. Keep testing as a silent rule until the rule returns no false positives.
Build relationships with other departments so that you can develop rules or playbooks to handle special situations. For example, if your company’s website normally processes 1,000 hits per minute, you need to know if marketing plans a national television campaign that would generate 500,000 hits at once. The sudden burst of activity could be interpreted by a rule as a denial-of-service attack, and if blocking resulted, the money spent on the campaign could be wasted.
Be careful when writing rules or playbooks that rely on wildcards, especially if the string contains commonly used words. One example would be a line of PHP code designed to protect against SQL injections. The code may contain words such as “Select,” “From” or “Where.” If you design the playbook to block instances where these words appear, false positives will likely occur.
Automate your incident response: CyberSponse’s CyOps is the first enterprise platform for automating and consolidating your team’s incident response and security operation efforts. The platform handles many of the mundane tasks that are currently taking so much of your staff’s time and causing major burnout and turnover. This frees your analysts for more important tasks, including a thorough evaluation of false negatives and important events.
Practice proactive hunting: According to an analyst with Bank of America, there are amongst 400 new threats events or types per minute in just the United States. 70% of these go undetected. Instead of relying on the information on known threats or signatures — which may disseminate for weeks or even months after a new threat appears, hence “zero-day” — experienced Tier 3 SOC team members should hunt for anomalies and suspicious behavior to limit exposure and mitigate damages.
As the number of alerts continues to increase, erasing false positives and developing new methods and playbooks for handling them will become increasingly critical to any team’s survival. Although the effort of playbook development may seem overwhelming at first, the right combination of strategy, personnel, automation, and tools can provide results that save your organization from high turnover, burnout, and a large amount of time all while strengthening its defenses.
To learn more about building playbooks and automating your workload, schedule a demo today by clicking here.