5 tips for reducing false positive security alerts

SOC analysts spend too much time and effort chasing security alerts that incorrect indicate a vulnerability where none exists.

API security alerts displayed on monitors amid binary code / application security
Loops7 / Getty Images

False positives—or alerts that incorrectly indicate a security threat is present in a specific environment—are a major problem for security operations centers (SOCs). Numerous studies have shown that SOC analysts spend an inordinate amount of time and effort chasing down alerts that suggest an imminent threat to their systems that turn out to be benign in the end.

Research that Invicti conducted recently found that SOCs waste an average of 10,000 hours and some $500,000 annually on validating unreliable and incorrect vulnerability alerts. Another survey that Enterprise Strategy Group (ESG) conducted for Fastly found organizations reporting an average of 53 alerts a day from their web applications and API security tools. Nearly half (45%) are false positives. Nine in ten of the respondents in the survey described false positives as having a negative impact on the security team.

"For SOC teams, false positives are one of the biggest pain points," says Chuck Everette, director of cybersecurity advocacy at Deep Instinct. A SOC’s primary focus is to monitor for security events and to investigate and respond to them in a timely manner. "If they are inundated with hundreds or thousands of alerts that have no true security significance, this distracts them from responding efficiently and effectively to real threats," he says.

Eliminating false positives entirely from the environment can be near impossible. There are, however, ways that SOCs can minimize time chasing them down. Here are five of them:

1. Focus on the threats that matter 

When configuring and tuning security alerting tools such as intrusion detection systems and security information and event management (SIEM) systems, make sure you define rules and behavior that alert you only on the threats that are relevant to your environment. Security tools can aggregate a lot of log data, not all of which is necessarily relevant from a threat standpoint to your environment.

To continue reading this article register now

Microsoft's very bad year for security: A timeline