A recent IDC study revealed that more than half of the security alerts an organization receives are false positives,...
and that it can take up to a day to address those alerts. Besides additional staff (which isn't in the budget), what are the best ways to reduce false positives?
Too much information -- or bad information -- is the bane of security's existence. IDC's finding about false positive security alerts is not all that different from the noise generated by common network and Web vulnerability scanners or all the clamor associated with the latest security flaws. You end up drinking from a fire hose and -- if you're not careful -- you'll get caught up in the minutiae of security management and oversight and end up experiencing the very breach you're trying to prevent. This is especially true if you're one of the 40% of people who, according to the report, manually review each alert.
You have to have good information in order to make sound decisions around enterprise security. Spend as much time as possible up front documenting your security monitoring and alerting needs. You're going to have to be patient and spend the time needed (i.e., several months, a year or even longer) fine-tuning your tools (security information and event management systems, log analytics, intrusion prevention systems, antimalware, among others) to ensure you're getting the most out of them. In the end, you're still going to get them, but you can reduce false positives over time.
For these reasons alone, I recommend outsourcing the service entirely to a qualified managed security services provider. These companies and their staff have been down these roads and know their tools better than anyone else. They can provide the extra leg work necessary to filter through the noise and tell you only what you need to know. Otherwise, this is a troublesome task. You'll certainly stay busy, but at quite a cost to your enterprise.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn more about reducing false positives in network monitoring
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.