Alert management in cybersecurity: how to optimize false positives

A study carried out by CybSafe shows that, generally speaking, more than half of office workers ignore security-related alerts and messages, due to over-solicitation across all digital tools.   

While monitoring security alerts is not the job of business teams, it is the core business of CISO, and for them more than anyone else, too much information is counterproductive and can ultimately put security at risk.  

The culprit behind so-called alert fatigue has a name: false positives. And this is what every cybersecurity expert is trying to reduce, through properly parameterized processes and tools.   

Let’s take a closer look at what can generate these false alerts, the risks induced by this noise, and how to remedy the situation. 

Defining false positives in cybersecurity 

What is a false positive? Quite simply, it’s a false alarm, in response to a situation wrongly interpreted as a problem or threat to an organization’s IT assets or network.   

These false positives result from incorrect interpretation by cybersecurity tools (EDR, XDR…), firewalls, or possibly DLP (Data Loss Protection) solutions… which can mislead security teams (CISO, SOC Manager, or CIO, depending on the organization). 

Here are some examples of events that can trigger a false alarm:   

• legitimate administrative actions that may be interpreted as suspicious or malicious;  
• scripts running on the information system and performing actions comparable to malicious ones (data processing, export, backup, cleanup, etc.)…  

These false alarms are even more likely to occur when all users are administrators of their workstations, due to their open rights and the large number of actions they can perform. 
 

False positives: the risks, and why it’s hard to eradicate them completely

A false positive is obviously a nuisance, since it attracts attention for nothing, but it has harmful effects that go far beyond mere annoyance.  

As already mentioned, it can waste the time of SOC or CISO, CERT, CSIRT… and cause them to miss out on important information. Also, when detection rules are set up to block processes automatically, this can eventually lead to IS blockage.  

In such a case, if production is brought to a standstill for no reason, in addition to the loss of time and productivity, the consequence is a drop in trust not only in the tools, but also in the teams in charge of security. And like Peter crying wolf, overall vigilance is likely to decline, and real alerts are more likely to slip through the net.  

So, is it better to implement the most restrictive security policies possible, in order to receive the maximum number of alerts and inspect everything? Or, on the contrary, let go of the ballast at the risk of letting real alerts slip through the net? 

 False positive management: the art of compromise 

For CISO and SOC Manager, alerts are a source of stress, and receiving too many of them is greatly feared. A TrendMicro study revealed in 2021 that more than half of CISO report that their teams are overwhelmed by alerts, and that almost a third of their time is monopolized by dealing with false positives.

Nevertheless, the fear of missing a real threat is very real, but unfortunately, automating the blocking of an entire information system at the slightest doubt is not a viable solution. It’s important to bear in mind that if overly strict policies lead to too-frequent blocking of activity, end-users are likely to reject the solutions put in place, and will certainly try to circumvent them, notably via Shadow IT. Indeed, when constraints are too strong, users turn to personal hardware, which inevitably leads to a loss of visibility over the information system.

Pro tip 

“[Following an attack] we deployed protection scripts on the servers, via the HarfangLab API. This feature is much appreciated by users and IT managers, as it automatically reinforces restrictions during weekends and non-working hours, and relaxes policies the rest of the time to allow business teams to use applications.” 
Nicolas Zisswiller, Managing Partner & Olivier Moreau, Devops – Aktea 

As you will have understood, a solid security policy, with the tools to enable CISO to have the right information to make the right decisions, is a real challenge, which means succeeding in limiting false positives without reducing the level of protection.   

This requires an excellent knowledge of the technical and cyber environment, the ability to contextualize data from security tools, and communication between production and security to agree on what is legitimate and what is not. 

In practice, how to reduce false positives 

To limit the number of false positives, it is important to ensure that security rules are adjusted and protection policies updated via security tools.  

It’s a continuous process of configuring security tools and analyzing logs (from an EDR, XDR, SOC or via managed services) to maintain optimal security, but also to keep pace with usage and changes in IT infrastructure and the digital tools landscape.  

The PSSI and the hardening of the installed base also play a vital role, as the cleaner the fleet (centralized deployments, necessary restrictions on user workstations to guarantee security, etc.), the lower the risk of false positives. 

 Pro tip 

“For ransomware, and cybercrime-related attacks in general, the tools and signals are relatively visible, and known to be problematic (Mimikatz, Cobalt Strike…).  
But for advanced persistent threats (APT), the attackers’ aim is to stay under the radar.  
In the face of this type of threat, maintaining a clean, high-quality computer fleet is essential, as it helps to identify weak signals, making it harder for attackers to hide.  
It’s important to remember that, even in the case of cybercrime, attackers use commands or remote management tools (RMM) that are often legitimate.  
A hardened policy can detect whether the tool in question is indeed the legitimate one on the park, to differentiate between the activity of an attacker and that of an administrator.  
In short, the management of false positives is highly dependent on the PSSI and the quality of the fleet, with a view to adapting the rules of the security product deployed.” 
Emeric Boit, Lead CTI – HarfangLab

Good management practices and SOC processes to keep in mind include: 

• a hardened security policy; 
• a clear strategy on what you want to detect and prioritize alerts; 
• the careful implementation of whitelists or filters in your cybersecurity solution, and maintaining them over time, because information system evolves. 

Perhaps you’re wondering how EDR can help you better manage false positives? Here’s how. 

How to reduce false positives 

To control the flow of alerts and limit false positives, it is necessary to set up whtelists to make detection rules more relevant. 

For HarfangLab’s EDR, alerts are based on rules that are managed and maintained over time, thanks to the monitoring of activity across all SaaS customers.  

If a false positive is linked to a business application, a whitelist can be set up to avoid false positives across all users of the SaaS solution. 

In the case of an alert generated by a customer’s own script or binary, whitelists can be set up to avoid false positives. 

Furthermore, by analyzing available telemetry, it is possible to deploy transversal whitelists for all detection engines, and to set them up upstream, without customers having to do so, in order to further optimize detection and alerts. 

In all cases, human supervision remains essential to continuously monitor the rules and make them evolve according to the context. 

And to support the work of cyber experts, HarfangLab’s EDR takes full advantage of Artificial Intelligence, complementing other engines, to be able to identify unknown threats. 

To find out more about how our AI engine works  
and how it has improved over time: