Are False Positives Really a “Thing” in 2022 for Vulnerability Management ProgramsJuly 14, 2022 - 2 min read
One would be tempted to think after a decade of refinement of automated scanning tools across the full stack, false positives, and the time-intensive process of validating them are a thing of the past. Exactly the opposite is true
Will Scanning Automation Delivery Vulnerability Management Nirvana?
If there has been one theme to define the last decade of Vulnerability Management – it is the rise of automated scanning tools. The rise has been designed to deal with the ever-increasing number of attack surfaces and the frequency and ingenuity of the attacks themselves. In turn, the tools became more refined, more accurate, and expanded in scope to handle all the layers of the attack surface including not only the network but the application layer itself.
As these trends continue one might reasonably ask – Are we heading to a utopian state? Are we reaching a point where the technology and its ability to handle the sheer volume of incidents outguns the attackers? Can we count on automated scanners to filter out false positives?
The View from the Trenches Is Not Pretty – It Is Actually Noisy
The answer is a firm “No”. For those on the front line tasked with managing incidents, their day-to-day is not close to utopian. If it were to be described with one word, it would be Noise.
Far from Vulnerability Management nirvana – the front-line staff leveraging automated scanning tools are now faced with a new herculean task. For all the scaling efficiencies automated tools delivered, they have effectively created a massive new problem. A significant amount of the alerts represent false positives (noise) – an alert that flags a vulnerability that does not exist. How, with the proliferation of automated alerts, do the tools separate the wheat from the chaff?
How bad is the False-Positive Verification Problem?
While detection automation looks after the incident scale issue – it passes on a new scaling problem – dealing with the noise.
“More than 60% of security professionals estimate their security function spend over 3 hours per day validating false positives. Nearly 30% are spending over 6 hours on this task. Most agree that it is too much, and the time could be better utilized. For most, it is the part of their job they like least.”
– Infosecurity Europe 2021
We Have a Focus Issue
“Nearly half of all cybersecurity alerts are false positives, and 75% of companies spend an equal amount of time, or more, on them than on actual attacks.”
– Security Boulevard, 2021
Given the extent of false positives, Vulnerability Management teams must put in the time and resources to remove them. But when that typically takes as much time as dealing with actual attacks, the question naturally arises – Is there a more efficient way to manage them?
Is a Hybrid Solution the Answer?
In conclusion, false positives and the process of validating them is a bigger “thing” than ever. Fortunately, there are Smart Vulnerability Management solution providers that provide a hybrid approach where a full-stack scanning solution is integrated with a team of expert security validators. With this approach, the Enterprise Vulnerability Management team can act now knowing all alerts presented are real and focus on what matters – securing the attack surface.
To learn more about how Hybrid Solutions effectively deal with the False Positive validation process, click below to receive a free white paper