computer screen showing alert status warning

Don’t Ignore the SIEM Who Cries ‘Alert’: The Importance of Thoroughly Investigating False Positives in Security Alerts 

False positives in security alerts are a common problem that can plague security professionals, consuming valuable time and resources while decreasing the effectiveness of security measures.  

A recent survey by Security Magazine found that 20% of security alerts are false positives, which can be a significant issue for organizations with limited resources. 

What is a SIEM?

A Security Information and Event Management (SIEM) is a security management system that collects, stores, analyses, detects and responds to security events from multiple sources across an IT environment. 

SIEMs are the eyes and ears of security teams, collecting a wide range of security data and alerting teams when suspicious activities occur. 

However, this means SIEMs can often trigger false positives due to the wide range of data and sources it processes. This is where thorough investigation comes in, as investigations can help determine whether an alert is valid or a false positive. 

In a Security Operations Center (SOC) environment, false positives are particularly prevalent due to the high volume of alerts that analysts must process. This leads to the critical question of how best to handle false positives without overlooking possible vulnerabilities or being bogged down by excess false positives.

How are False Positive Security Alerts Handled in a SOC?

One approach to handling false positives is to conduct a thorough investigation each time an alert is triggered. This approach ensures that no potential vulnerability or compromise is dismissed. Investigations can be conducted in several ways, such as checking the IP address, running hashes, and scanning files through approved file checkers. 

Checking the IP address can help determine if the source of the alert is legitimate or if it is a false positive. Running hashes is another approach that can help determine if a file has been modified or tampered with. Scanning files through approved file checkers can also help identify any malicious files that may have triggered the alert. 

Thorough investigations can be time-consuming and require additional resources, including a second analyst’s review to ensure that no oversights or gaps in the investigation occur. 

Assume the Worst Case.

Ignoring alerts, assuming they are all false positives, can decrease the effectiveness of security measures. This can open vulnerabilities and make it easier for attackers to access sensitive information.  

Therefore, it is vital to be vigilant and thoroughly investigate each alert, even if it is a false positive, to ensure that possible vulnerabilities or compromises are not overlooked. 

Another issue with false positives is that they can result in a waste of resources of time and money. Analysts must spend time investigating alerts that ultimately turn out to be false, taking away from the time they could have spent investigating genuine security threats. This can be a significant issue in environments with many false positives. 

Can the SIEM be configured to generate fewer false positive alerts without missing genuine threats?   

In many cases the SIEM can be configured to reduce false positives without compromising security. This includes tuning the rules and adjusting thresholds to reduce the number of false positives generated. Changing the parameters around traffic and data sources can also help reduce false positives. 

Here at Ostra, to address false positives, we follow a systematic approach that includes daily checks to ensure alert consistency. We use multiple checkers to confirm that data stays unchanged and to identify new information. This helps us stay updated and respond effectively.

We also implement policies to reduce unwanted noise, allowing us to focus on genuine threats. Learning from past experiences, we prevent previously validated alerts from reoccurring. This ongoing process of review and adjustment helps our team effectively manage false positives. 

One real-world example we’ve experienced at Ostra involves frequent alerts from a popular RDM application used by our clients. Rather than investigating each alert individually (which is very time-consuming and inefficient) our team implemented a policy in our SIEM and XDR systems to suppress these regular alerts. To ensure ongoing efficacy, we then verify monthly with the client that they’re still using the application and cross-check the alert parameters. This approach has saved time and allows for prioritizing more urgent alerts. 

To reduce the number of false positives and improve overall security in the SOC environment, it is crucial to remain vigilant, conduct thorough investigations, and utilize multiple investigative techniques. It is also essential to balance the need to investigate thoroughly with the need to avoid being bogged down by an excess of false positives. 

The Bottom Line.

False positives in security alerts are a significant issue for security professionals that can consume valuable time and resources while decreasing the effectiveness of security measures. Partnering with a trusted cybersecurity partner like Ostra can provide much-needed relief and cutting-edge expertise to your stretched IT operations teams.

Contact us to learn more about what it means to be powered by Ostra Cybersecurity.