Achieving Zero False Positives with Security Automation
Over the past few years, there’s been a constant and growing drumbeat of news stories about data breaches, phishing and ransomware.
Organizations are recognizing they lack the time and expertise to implement state-of-the-art security monitoring and threat investigations themselves.
Not surprisingly, many of these organizations are turning to their MSPs for help.
Security monitoring can be a growing business for MSPs, but it brings with it some significant challenges and risks.
If not managed properly, security monitoring can spiral out of control, swamping MSPs with busy work and escalating labor costs.
Poorly managed security monitoring also introduces the risk of customers blaming MSPs when data breaches and other serious security incidents occur.
Too Many False Positives
A key reason security monitoring is so costly is due to the large amount of “noise” generated by false positives from security systems.
To understand why, let’s walk through what typically happens when an MSP begins security monitoring for a customer.
First, an MSP deploys a Security Information and Event Management (SIEM) system, which collects and analyzes log events and alerts from systems and applications on customer sites.
Suddenly they start receiving hundreds, if not thousands, of alerts every day.
A large majority of these are false positives, but each alert still must be manually investigated to filter the good from the bad.
A big part of what’s missing from nearly all SIEM systems is local, in-depth knowledge about the customer’s context— information that would help greatly in distinguishing false positive alerts from genuine alerts that merit attention.
As a result, your analysts tend to stop paying full attention to every alert, and can potentially miss the small percentage of alerts that were early indicators of an incident.
Getting To Zero False Positives – Mission Impossible?
We propose MSPs set an audacious goal for security monitoring: aim to reduce the number of false positives to zero.
To streamline the number of alerts, the MSP can program the SIEM with rules for ignoring certain types of alerts.
However, SIEM rules tend to be simplistic since they can’t account for the context in which an alert occurred.
The slightest irregularities in employee behavior can send security analysts scurrying to their screens, looking for signs of a threat.
Even threat intelligence data feeds, which are meant to assist SIEMs in identifying threats that have been detected on other sites, are unable to stay sufficiently up to date or help with fast-breaking trends.
By definition they can’t help with Zero Day, or previously unseen, threats at all.
Without good contextual information, an MSP has no choice but to wade through an ever-expanding list of alerts by hiring an ever-expanding team of security analysts.
This is assuming these analysts can even be found, vetted and recruited.
How should MSPs solve this problem of collecting and applying contextual information to reduce false positives?
With intelligent automation.
Not All Automation Is Created Equal
There are two types of automation for security monitoring and threat detection: robotic and cognitive.
Robotic automation is useful for the repetitive steps that require minimal decision-making.
For example, robotic automation can be used to perform routine case creation and permission-checking after an incident is detected.
Cognitive automation is much more advanced and uses machine learning to automate tasks that require decision-making.
Hence, it’s perfect for threat detection activities such as performing triage on security alerts and threat hunting.
A “smart” security automation system uses cognitive automation to gain contextual awareness of a customer site and then makes decisions (such as threat-scoring) based on deep correlation across multiple data sources.
The system accepts feedback from security analysts, who can rate or correct its decisions, ultimately helping the system become more accurate over time.
Unlike “black box” security solutions, this solution is programmable and analyzable.
Its decisions can be examined and understood.
Security analysts are never left wondering why the system made the decision it did when it dismissed or elevated an alert.
Such a system can accurately triage alerts at scale, causing the number of false positives to plummet.
This automated approach reduces most of the manual investigation work that keeps security analysts overwhelmed and MSP owners awake at night.
Mission Accomplished, Almost
Can such a system reduce false positives to zero?
Not yet.
However, we work with customers who successfully reduced the number of false positives by 90 percent—no menial feat.
Reaching zero false positives—an unimaginable goal even a few years ago—now seems within reach with the next generation of cognitive security solutions.
For MSPs, reducing false positives by 90 percent is a tremendous competitive advantage, saving time and improving margins, but most importantly enabling much better security for their customers.
Our advice to MSPs is to welcome customers seeking help with security monitoring. By deploying both SIEM and cognitive automation systems, MSPs can aim for zero false positives and reap the benefits of a growing business and satisfied customers.
Kumar Saurabh is co-founder and CEO of security intelligence automation platform LogicHub. He has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic, which he left to co-found LogicHub.
