The Dirty Dozen: Killing False Positives

By | March 9, 2007

In the classic war movie The Dirty Dozen, Lee Marvin’s maverick major must make a crack fighting unit from an unruly squad of prisoners, then launch an all-out assault behind enemy lines. It’s a near-impossible assignment.

Any IT director trying to battle security threats to their networks day after day will know the feeling. Maintaining a clear view of their true security position is a constant, enervating battle, devouring man-hours and resources.

Why? Largely because of false positive security alerts. Although vital to defence, security systems such as IPS, IDS, firewalls and anti-virus also create problems by generating false positive alerts, obscuring the network’s actual exposure to risk.

A 2006 IBM survey of 700 European IT managers highlighted the scale of the issue. 1 in 10 IT departments spend more than 3 days a week just analysing security log data. Further, over 45% receive more than 4,000 security events per second, making it almost impossible to prioritise potential threats.

Chasing ghosts, crying wolf

With these numbers, a high percentage of false-positives means that critical data can be misinterpreted, leading the team to ‘chase ghosts’ – looking for malicious activity that doesn’t exist. They may tire of noisy systems crying “Wolf!” and turn a blind eye – with the risk of a real threat being ignored.

Perhaps the most critical issue is delayed interpretation. A welter of false positives takes time to sift through – time that can be exploited by REAL security threats.

False positives explained

So what causes false positives? The biggest cause by far is insufficient alert context. Firewalls and intrusion systems cannot understand the business importance and vulnerabilities of all systems within the organisation.

For example, an attempted ‘Code Red’ infection of a web server may be reported as a high-priority event by the firewall, even if the target has already been patched against it.

This is the holy grail of security management: understanding and prioritising reported activities in the context of the organisation’s network, systems and processes. So if a threat arises, it generates an alert. But the ITSec team doesn’t need to know if the threat presents zero risk. Adding context gives the ITSec team the ability to filter the noise and focus on real threats.

The Dirty Dozen

So how do you start contextualising threats, cutting down false positives, and turning a mass of event data into valuable information? Here are 12 proven steps for any ITSec team.

1. Maintain up-to-date system and network configurations so that sensors properly reflect the network’s structure, behaviour and preferences, especially in IDS and anti-virus systems.

2. Train and dedicate security personnel for first-pass analysis and escalation. Put the best staff onto incident handling and resolution – not simply on looking at event logs.

3. Rate your sensor confidence by tracking the ratio of false positives for each, to identify ones that cry wolf.

4. Regularly review sensor performance and fine-tune to improve it. IDS sensor performance gains of 10% to 30% are not unusual.

5. Consider sensor replacements. If, after tuning attempts, confidence rating is still low, try newer sensors or different products. By comparing before-and-after figures you can calculate the RoI on the swap-out.

6. Aggregate event data. Don’t sift through multiple identical, repeated events: group them into single alerts and focus on true irregular events.

7. Correlate security events from different systems, and add context by grouping them across different systems. This highlights unusual events.

8. Correlate security events with vulnerability information – as with the Code Red example mentioned earlier.

9. Auto-acknowledge authorised / expected activity, and focus on deviations from acceptable use policies (e.g. users accessing systems out of hours, from unauthorised machines)

10. Educate your users in security policies and acceptable use of the network. This cuts false-positives from authorised but unexpected behaviour.

11. Don’t forget your PDCA: to improve processes, integrate these methods into the security management Plan-Do-Check-Act cycle.

12. Automate aggregation, correlation and contextualisation: Security Information and Event Management (SIEM) solutions do this, and greatly simplify the entire process. The right solution can also deliver policy management, threat mitigation and remediation from the same console – further simplifying management.

By deploying this Dirty Dozen on your network, managing security can seem much less like Mission: Impossible.

Leave a Reply