False positives are expensive!!
According to a Critical Start survey, for every sixty minutes security operations centers (SOCs) run, fifteen minutes are wasted on false positives.
Further, the study reveals that, on average, a typical organization wastes 286 to 486 hours per week on false positives.
What are false positives?
False positives are alarming notifications by security software that turn out to be nothing at all.
While false positives might pass for small inconveniences, they can significantly reduce your security software’s accuracy.
As a result, the inability to eliminate the excessive noise generated by numerous false positives makes it extremely difficult for security analysts to determine detection rules for malicious behavior alerts.
What causes false positives?
The most common causes of security software false positives are;
- Tester’s misinformation– The results of a software test are as good as the tester’s knowledge. The less information a tester has about how specific software works, the higher the likelihood of numerous false positives reports.
- Defective analysis– The security staff can label an alert as false positive if legitimate files behave in a manner typically considered malicious.
- Clunky Natural Language Processing (NLP)– Machine learning involves feeding the system with vast amounts of training data. Errors or ambiguities in training data lead to false detections.
The adverse effects of false positives
A software tester’s work is to find and report bugs for developers to fix and, by extension, create a stable product.
But, what happens when testers “find” nonexistent bugs or ones that don’t necessarily need fixing?
Here’s what transpires;
Wasted time
Security staff ends up wasting precious time hunting down things that don’t really count. On top of that, they create confusion by reporting problems that developers cannot fix on their end.
Slow development
False positives compel developers to fix problems that they shouldn’t be fixing. The result is less stable software caused by unnecessary changes.
The situation becomes even more aggravated if software testers decide to fix the issue without engaging the developers.
Unresolved problems
Hunting down, reporting, and fixing false positives can prevent the security team from dealing with the software’s real problem.
Put differently, while checking for false positives isn’t entirely wrong, the team ignores the most critical aspects of success.
Deteriorated working relationships
False positives delay product launches and annoy clients. That’s not the only problem, though.
Wasted time and resources cause misunderstanding between developers and testers. An unhealthy relationship can harm present and future collaboration between security teams.
In a nutshell, here’s how the false positive cycle works:
- Security software reports an issue.
- Software testers try to locate the problem and eventually give up.
- The testers dismiss the case as a false alarm.
- The security software continues to report the issue.
- The security team notifies the developers about the problem.
- The developers have to convince the testers that it was a false positive
- The security software continues to report similar issues in the future.
- The problem isn’t resolved, the security team has wasted time, and now, everyone is skeptical about the software.
How to deal with false positives
Security software will almost always report false positives.
Even so, there are steps that can significantly reduce the impact of false positives. These include;
Coming up with predefined goals
The security team should agree on what the software is supposed to accomplish from the get-go. That way, it is easier to decide what a false positive is.
Nurturing healthier communication
Software testers and developers must read from the same script. Sure, there will be differences from time to time. Still, it is essential to;
- Share information
- Keep communication open
- Define responsibilities
Improving documentation
Healthier communication allows the security teams to achieve the following;
- Determine if the software still works as expected.
- Determine if a bug needs fixing or not.
- Develop a solution if the software isn’t working as it should.
The bottom line
Few false positives allow your security team to be effective – the fewer, the better.
As a security manager or analyst, you must encourage your team to understand and determine each security product’s false positive rate in your organization.
Remember, it takes only a handful of false positives to render your security team unproductive, and that’s something you don’t want as a chief security officer.