freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Security alerts: What's the best way to reduce false positives?

False positive security alerts are troublesome, costly and time-consuming. Expert Kevin Beaver explains how to reduce the number of false positives

A recent IDC study revealed that more than half of the security alerts an organization receives are false positives,...

and that it can take up to a day to address those alerts. Besides additional staff (which isn't in the budget), what are the best ways to reduce false positives?

Too much information -- or bad information -- is the bane of security's existence. IDC's finding about false positive security alerts is not all that different from the noise generated by common network and Web vulnerability scanners or all the clamor associated with the latest security flaws. You end up drinking from a fire hose and -- if you're not careful -- you'll get caught up in the minutiae of security management and oversight and end up experiencing the very breach you're trying to prevent. This is especially true if you're one of the 40% of people who, according to the report, manually review each alert.

You have to have good information in order to make sound decisions around enterprise security. Spend as much time as possible up front documenting your security monitoring and alerting needs. You're going to have to be patient and spend the time needed (i.e., several months, a year or even longer) fine-tuning your tools (security information and event management systems, log analytics, intrusion prevention systems, antimalware, among others) to ensure you're getting the most out of them. In the end, you're still going to get them, but you can reduce false positives over time.

For these reasons alone, I recommend outsourcing the service entirely to a qualified managed security services provider. These companies and their staff have been down these roads and know their tools better than anyone else. They can provide the extra leg work necessary to filter through the noise and tell you only what you need to know. Otherwise, this is a troublesome task. You'll certainly stay busy, but at quite a cost to your enterprise.

Ask the Expert:
Have a question about network security?
Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about reducing false positives in network monitoring

This was last published in July 2015

Dig Deeper on Real-time network monitoring and forensics