The number of false positive security alerts is staggering. Here’s what you can do to reduce yours

Nearly half of all cybersecurity alerts are false positives, and 75% of companies spend an equal amount of time, or more, on them than on actual attacks, a Fastly/ESG report reveals.

kanawatvector.jpg

Image: iStock/kanawatvector

For companies that have made the leap to the cloud and API-driven world of modern computing, today’s cybersecurity models are causing more headaches than they’re worth, to the tune of 46% of all application downtime being caused by false positives.

More about cybersecurity

The report from edge computing company Fastly and the Enterprise Strategy Group found that 75% of businesses spent as much, or more, time chasing false positives than they did dealing with actual security incidents. 

SEE: Security incident response policy (TechRepublic Premium)

Cloud and API-based applications make security far more complicated than it was in the era of on-premise computing, made evident by the average of 11 web app and API security tools costing the typical business close to $3 million a year. Those tools, the report said, are ineffective and largely impede growth due to the fact that a security alert has a near 50/50 chance of being false. 

The report describes the current state of security software as “a patchwork of incompatible tools” added when new cloud vendors are brought onboard, due to input from developers or other team members, during attempts at modernizing app architecture or simply because the company felt that it was more secure to have more tools in place. 

Regardless of the reason for its acquisition, those tools have failed to work for many companies, leading to them either running in log and monitor mode (in 53% of cases), being disabled completely (12%) or both of the above (26%). All in all, that’s 91% of businesses disabling or reducing the capabilities of their security software in response to too many false positives.

How to prevent false cybersecurity positives

There are a lot of different methods for getting rid of false positives, though the report does make one suggestion above all others: Purchase and use a single, unified solution designed for modern cloud and API security needs. Only 1% of respondents surveyed were already doing so, though 93% said they plan to, or were interested in, doing so themselves. 

Adopting a unified product that integrates with other tools, provides API visibility, uses behavioral-based blocking, continuously updates and covers multiple architectures is important, but Fastly’s senior principal of product technology, Kelly Shortridge, said that tools aren’t the be-all and end-all of cybersecurity: It’s in how you use them.

Advanced tools aren’t instant fixes, Shortridge said, citing the months or even years it can take to tune an AI or machine learning security tool to do its job without generating false positives and eating up employee time. “Before using an opaque fancy math solution, your team (and the vendor itself) must be able to lucidly identify why rules and deterministic logic are insufficient.”  

Shortridge also warns that collecting data in an attempt to improve security can hinder just as much as help: If you don’t have a goal in mind when tuning software or making a case for a certain approach, you’re logging useless info.

“Any data you collect—and the metrics they drive—should be directly tied to a known question with a known action that can be taken when it’s answered,” Shortridge said. Diminishing returns and team burnout are two important factors to consider when trying to process data into actionable metrics. “It’s imperative that security teams consider both adding and subtracting data to improve their decision-making and measure not just the benefits, but also the losses to productivity and opportunity costs that ingesting a data source can impose on your organization.”

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Shortridge also said that context, while a dirty buzzword to some, is a fundamental part of building a good, reliable security model. An event considered out of context doesn’t mean anything, she said, “which is why choosing (or building) tools with thoughtful conditional logic can help more accurately discern incidents within event data.” 

Also see