For those outsides of the enterprise cyber security community, it can seem strange to even imagine that experienced security professionals live in a world where managing the noise associated with false-positive alerts is a daily and significant problem. But in 2022, for almost every Global Enterprise, this is simply a fact. But, before we think about how to resolve this issue, let’s first remind ourselves why one would want to rid their Vulnerability Management (VM) Program of false positives.
An interesting irony is that initially the sheer scale of the number of vulnerabilities across the entire attack surface had to be handled with automation. While the scaling capabilities of automated alerts for each layer of the IT stack – web applications, network and devices, API’s etc. – matched the scale of increasing vulnerabilities – it also generated a lot of noise. To remove the noise, we must return to the human to rule them out. But there are efficient ways to do this – here are the three steps you should take:
Number 1 – Alert Convergence – Before you begin process of ruling out false positives, make the process more efficient by aggregating and contextualizing all the alerts from each layer of the IT stack to one dashboard. It becomes a more manageable task when taking them on from one source.
Number 2 – Contextualize the Alerts – If you really want to optimize the process, then first rank all the alerts by type and business process so that when you remove the false positives you not only have accuracy, but you have business insight on what to act on first.
Number 3 – Consider a Hybrid Platform – If you are already deploying a vulnerability solution for the automated alerts, consider a hybrid version where the supplier provides a team of experienced experts to perform the false-positive removal as part the overall solution. These hybrid solutions can offer the bandwidth benefit of seasoned security experts thus allowing your VM security staff to focus on proactive and strategic activities to optimize your VM Program. With the scarcity of security professionalsprofessionals, it is beneficial to have a scalable set of security experts to rule out the false positives. In many cases they can even as well as provide expert guidance.
There is no magical automated bullet to rid oneself of the false-positive problem – there simply is no substitute for human security expertise to safely remove them. If this is ultimately what you need to do, then you need to face up to the question of how you will most efficiently achieve this – by an internal recruiting effort or tapping your existing staff within your department or in the form of a hybrid solution with your VM automated alert supplier. Keep in mind – false positive removal is a continual and necessary activity. The time to start slaying the noise dragon was yesterday.
Want to learn more about Achieving Virtual 100% False Positive-Free Alerts? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?
Marketing Executive of Edgescan