An Alarming Status Quo
For those outsides of the enterprise cyber security community, it can seem strange to even imagine that experienced security professionals live in a world where managing the noise associated with false-positive alerts is a daily and significant problem. But in 2022, for almost every Global Enterprise, this is simply a fact. But, before we think about how to resolve this issue, let’s first remind ourselves why one would want to rid their Vulnerability Management (VM) Program of false positives.
The Very, Very, Very Bad Problem with False Positives
- Taking Eyes off What Matters – If you are constantly struggling to deal with false positives, it drastically impedes your ability to catch the vulnerabilities that truly matter – the ones that could potentially have a dramatic business impact.
- Resilience Menaces – Obviously exposures on your attack surface have the biggest impact on your security resilience posture. But the distraction and delay caused by false positives is often taken for granted. The hacker will exploit an exposure while you sort what’s real and what is simply noise.
- Confidence Deflators – Your team’s confidence can be impacted by inadvertently taking action on false positives only to realize you are running a fool’s errand. Management and IT can also have less lose confidence in your judgement when too many false flags are constantly communicated as real issues.
- Morale Killers – The simple drudgery of ridding oneself of false positives on its own can take away the initial strategic spirit of your team. But when the false positives leak into their remediation action and the support teams are chasing issues that are not issues – it takes the wind out of everyone’s sails.
- Bandwidth Siphons – Of course, if you have infinite time and budget, manually ruling out false positives can be done. But every Enterprise has a limited budget and limited staff and you do not want to squander the investment and time of your strategic security team by manually taking out false positives. You want your VM team to be focused on the prize – you want them to be proactive and align security best practices and tools to meet your ongoing and changing business goals.
So How Do We Achieve Virtual 100% False-Positive Free Alerts?
An interesting irony is that initially the sheer scale of the number of vulnerabilities across the entire attack surface had to be handled with automation. While the scaling capabilities of automated alerts for each layer of the IT stack – web applications, network and devices, API’s etc. – matched the scale of increasing vulnerabilities – it also generated a lot of noise. To remove the noise, we must return to the human to rule them out. But there are efficient ways to do this – here are the three steps you should take:
Number 1 – Alert Convergence – Before you begin process of ruling out false positives, make the process more efficient by aggregating and contextualizing all the alerts from each layer of the IT stack to one dashboard. It becomes a more manageable task when taking them on from one source.
Number 2 – Contextualize the Alerts – If you really want to optimize the process, then first rank all the alerts by type and business process so that when you remove the false positives you not only have accuracy, but you have business insight on what to act on first.
Number 3 – Consider a Hybrid Platform – If you are already deploying a vulnerability solution for the automated alerts, consider a hybrid version where the supplier provides a team of experienced experts to perform the false-positive removal as part the overall solution. These hybrid solutions can offer the bandwidth benefit of seasoned security experts thus allowing your VM security staff to focus on proactive and strategic activities to optimize your VM Program. With the scarcity of security professionalsprofessionals, it is beneficial to have a scalable set of security experts to rule out the false positives. In many cases they can even as well as provide expert guidance.
In Summary – Human Security Expertise is Key
There is no magical automated bullet to rid oneself of the false-positive problem – there simply is no substitute for human security expertise to safely remove them. If this is ultimately what you need to do, then you need to face up to the question of how you will most efficiently achieve this – by an internal recruiting effort or tapping your existing staff within your department or in the form of a hybrid solution with your VM automated alert supplier. Keep in mind – false positive removal is a continual and necessary activity. The time to start slaying the noise dragon was yesterday.
Want to learn more about Achieving Virtual 100% False Positive-Free Alerts? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?