Critical Start: False Positives Plague Cybersecurity Professionals

Written by Edward Gately
January 16, 2020

Automation is helpful in reducing the time to investigate alerts.

Cybersecurity providers are being bombarded with alerts, many of which turn out to be false positives, creating challenges for the industry.

That’s according to Critical Start’s latest report, The Impact of Security Alert Overload. MSSPs, managed detection and response (MDR) providers and security operations center (SOC) professionals were surveyed for the report.

Critical Start found that 70% of cybersecurity professionals investigate more than 10 security alerts daily, a marked increase from 2018 when just 45% reported investigating double-digit alerts each day. And respondents reported a false-positive rate of 50% or higher, meaning valuable time that could be used to strengthen an organization’s security posture is being spent chasing cyber ghosts.

Rob Davis, Critical Start‘s CEO, tells us the industry will always have a high number of false positives, which isn’t necessarily bad. A security vendor stating an activity was good when it was actually malicious would be far worse, he said.

Critical Start’s Rob Davis

“This is a false negative,” he said. “To improve, SOC professionals should create an efficient process so that you never have to investigate the same false positive twice. This involves having the right platform and procedures in place for your SOC so that it is very simple for SOC analysts to automate resolution of known good security alerts. MSSP and MDR providers with the right SOC platform can lower costs significantly by leveraging network effects for false positives that apply to multiple customers. To be effective in detecting all attacks, it is critical that MSSP and MDR providers have the ability to personalize their offerings to take into account unique differences across customers. Unique differences could include login scripts, software installations, custom applications and use of administrative scripts.”

Other key findings from the report include:

Seventy-eight percent of respondents said it takes more than 10 minutes to investigate each alert, a significant increase from 64% who said the same in 2018.
Just 41% of survey respondents believe their primary responsibility is to analyze and remediate threats, opting instead to reduce investigation times and alert volumes, a dramatic decrease from 70% in 2018.
Nearly half of those surveyed said they receive just 20 hours or less of training per year.

“Training is very important and should include a rigorous onboarding process that requires certification before triaging alerts,” Davis said. “At Critical Start for example, new SOC analysts undergo 160 hours of initial training followed by a certification process. Each year we require another 40-80 hours of training. In addition to training, a SOC should have some type of review process to sample the quality of alert investigations and implement a two-person review process for remediation actions and security alert automation actions.”

Automation is helpful in reducing the time to investigate alerts, but you have to be careful on how you measure productivity, he said. Using time per alert can result in “hasty, insufficient” analysis of alerts in an attempt to meet arbitrary productivity metrics. The goal should be to automate the resolution of false positives before they reach the SOC so that SOC analysts can take all the time required to properly investigate each alert, he said.

“The report is encouraging because there is increased evidence companies are hiring additional headcount to handle the alert overload problem,” Davis said. “While the increased budgets are a promising data point, all of the other evidence points to organizations still being unable to resolve every alert generated by their security tools.”