Cybersecurity: how to reduce false positives

Increased scrutiny of network infrastructure has sent the number of security alerts skyrocketing. However, IT teams have a tendency to ignore these alerts amid so much crying wolf, and this poses a critical security risk to their business.

More and more companies are using correlation strategies to automatically identify potentially dangerous events so that they can react immediately if there is an intrusion on their IT network. The issue companies face is that close monitoring often generates hundreds of alerts per month. This is counterproductive and has the effect of desensitising the teams responsible for handling them. In order to prevent our customers from being flooded with messages, the DEEP Cybersecurity team is committed to a drastic reduction in false positives.

What is a false positive?

It is a security alert triggered by “normal” behaviour. Network infrastructure monitoring is based on the recording of tens of millions of logs. Scenarios are then programmed so that when a sequence of actions considered dubious is executed, this generates a security alert that must be verified. It is generally believed that, in order to identify the 3% of alerts triggered by real incidents, the 97% of alerts triggered by legitimate behaviour (i.e. around 150 per month per customer) must be reviewed. To avoid looking for a needle in a haystack and prevent a real threat falling through the cracks, it is crucial to work to reduce the number of alerts.

How can the false positive rate be reduced?

When implementing the monitoring system for your infrastructure, we deploy a set of predefined default rules that are synonymous with danger in most companies: connections to the network outside working days and hours, for example. After only one day, the tool already shows a significant list of incidents recorded. The tuning phase then begins, during which we send our customer weekly reports on the incidents identified during regular reviews. This close cooperation for a limited period of time is crucial in allowing us to draw a line between legitimate and suspicious behaviour. In concrete terms, the CyberForce department ensures that it has an in-depth understanding of the company's working habits in order to carry out a tailor-made configuration of the detection system. Is a connection at 8pm considered legitimate? Does a connection from Morocco or China fit in with the reality for your business? If so, this behaviour is added to a whitelist. This detailed analysis of behavioural data, based on our observations, can reduce the “noise” generated by security monitoring by almost 90%.

The army of shadows

The first step in reducing false positives is therefore to adapt the detection rules to the reality of your working methods. What happens to these alerts next? At DEEP, they are forwarded to a team of analysts for real-time verification. Continuously trained and supported by pre-established procedures, these analysts categorise alerts as quickly as possible. After all, speed is crucial when an intrusion event occurs.

Attack is the best form of defence

At DEEP, the CyberForce department comprises several teams, two of which are highly complementary: the Blue Team (SOC) for defence and the Red Team (COS) for attack. The Red Team conducts regular intrusion tests and collaborates with the defence team to form a Purple Team that aims to continuously improve the level of detection accuracy.

With threats on the rise, greater volumes of data from detection systems are a major challenge for companies. Refining detection as much as possible offers IT departments the best chance of effectively combatting cyber-attacks.