A recent IDC study revealed that more than half of the security alerts an organization receives are false positives,...
and that it can take up to a day to address those alerts. Besides additional staff (which isn't in the budget), what are the best ways to reduce false positives?
Too much information -- or bad information -- is the bane of security's existence. IDC's finding about false positive security alerts is not all that different from the noise generated by common network and Web vulnerability scanners or all the clamor associated with the latest security flaws. You end up drinking from a fire hose and -- if you're not careful -- you'll get caught up in the minutiae of security management and oversight and end up experiencing the very breach you're trying to prevent. This is especially true if you're one of the 40% of people who, according to the report, manually review each alert.
You have to have good information in order to make sound decisions around enterprise security. Spend as much time as possible up front documenting your security monitoring and alerting needs. You're going to have to be patient and spend the time needed (i.e., several months, a year or even longer) fine-tuning your tools (security information and event management systems, log analytics, intrusion prevention systems, antimalware, among others) to ensure you're getting the most out of them. In the end, you're still going to get them, but you can reduce false positives over time.
For these reasons alone, I recommend outsourcing the service entirely to a qualified managed security services provider. These companies and their staff have been down these roads and know their tools better than anyone else. They can provide the extra leg work necessary to filter through the noise and tell you only what you need to know. Otherwise, this is a troublesome task. You'll certainly stay busy, but at quite a cost to your enterprise.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn more about reducing false positives in network monitoring
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading