News Stay informed about the latest enterprise technology news and product updates.

Too many false positives, security alerts inundate enterprise, study says

A new study shows enterprises with security analytics are confident in their threat detection capabilities, while those without are overwhelmed by copious false positives and alerts.

Enterprises are struggling to keep up with the troves of false positives, security alerts, and amorphous security information which are hampering their ability to detect and handle persistent threats and data breaches, according to a new study.

The study titled "Data-Driven Security Reloaded" by analyst firm Enterprise Management Associates (EMA), based in Portsmouth, N.H., found that while companies' effectiveness in combatting information security threats is sliding, the copious security data collected by them is overwhelming and thus ineffective. A survey of more than 200 IT administrators and security managers found that 95% of respondents using security analytics were confident in their ability to detect security issues. However, 79% of total respondents were only "somewhat confident" in, to "highly doubtful" of, their ability to detect security threats before said threats impacted their organizations.

"The inability to filter through all these alerts is a common information problem amongst organizations," David Monahan, research director at EMA, said. He explained that the study asked about 18 different types of security technologies and ranked respondents' value statements of the products. "Security analytics and threat analytics anomaly detection solutions were tied for first place and had one of the highest value rankings."

The survey, sponsored by anomaly detection firm Prelert, Inc., also found that IT professionals and security managers are struggling to identify and separate important data from the rest of the noise. For example, 50% said too many false positives negatively impact their security readiness.

"That was the number one issue that people had with technology -- that they were getting too many false positives," Monahan said. "The inability to filter through all these alerts is a common information problem amongst organizations."

In addition 38% said too much uncorroborated data that lacks context hamper their breach detection efforts, while 12% said they simply have too many security alerts to handle.

"It's not just about being able to collect everything and just throw it all into a bucket -- it's about being able to understand and use that data," Monahan said.

In addition, Monahan pointed out that when asked if a lack of data was responsible for inadequate security, zero respondents said yes. And when asked if respondents would want to collect more data, the response was generally no. "Some data may not be as germane," he said, "but the pieces that are: we really want to have those and put those together and create that full context."

Monahan emphasized the idea that it's not about bigger data, but better data. Context and fidelity are the goals here, not indiscriminate information harboring.

Fidelity is the value of information, Monahan explained, whereas context is putting the pieces together to make the full puzzle picture. "If you have better data and better analysis," he said, "that's going to reduce the number of false positives you have; it's going to reduce the excessive or uncorroborated events; [and] it's also going to reduce the multiple alert factor."

Next Steps

Learn more about how SIEM systems are using security analytics to reduce false positives

Dig Deeper on Data security technology and strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use security analytics or anomaly detection technologies?
I agree that "companies' effectiveness in combating information security threats is sliding, the copious security data collected by them is overwhelming and thus ineffective."

Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years. Unfortunately, current security approaches can't tell you what normal looks like in your own systems. So we need to protect our sensitive data itself.

I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection.” I recently read another interesting Gartner report, "Big Data Needs a Data-Centric Security Focus," concluding," In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.

Gartner is proposing data tokenization as an effective approach to security sensitive data.

I suggest that we should secure sensitive data across the entire data flow, including cloud, big data and enterprise systems. This approach can be very effective in addressing attacks against data, also from insider threats.

Ulf Mattsson, CTO Protegrity
False positives are a problem, but because of the seriousness, its hard to just ignore indicators on a monitoring system or analysis scanner.