A practical way to rule out false positives

By Dean Teffer


ALERT fatigue and staffing shortfalls have been two of the most-commonly cited issues facing security team managers and members for many years. An increasingly large ecosystem of products has made little dent in this situation.

In fact, installing more monitoring products generally yields more alerts for review. Jamming all the alerts into a security information and event management (SIEM) can increase convenience for the operator and hunter, but doing so does not necessarily enable more efficient hunting or query across all these sources.

According to IDC, countries in ASEAN are experiencing a robust growth in cloud adoption, as organisations turned to cloud services to support the remote working and distributed workforce.

With a 19.8% compound annual growth rate (CAGR) of IaaS (infrastructure as a service) in ASEAN between 2020-2024 cloud-native data will increase significantly in volume, this situation only continues to become more acute.

Specifically, in Malaysia, the National Cyber Security Agency launched the Malaysia Cyber Security Strategy 2020 – 2024 to improve the country’s cyber security management to create a secure, trusted and resilient cyberspace through closer cross-industry cooperation.

What we have to be mindful of is that machine learning and algorithmic threat detection still yield false positives – why is this so?

After all, we experience high-quality algorithmic results every day using natural language processing and image processing. Why not threat detection?

There are two primary reasons false positives remain a thorn of discontent for most SOC analysts: 

  1. Actual threat events are very rare: This might be a shocking statement to make when, as thousands of organizations in the public and private sectors are in incident response mode against the SolarWinds attack. But what this means in average times is that a detector that always yields a “no threat” label would be accurate almost all the time. In order to (sort of) turn up the gain on the detector to make sure we do not miss any potential threat event; we necessarily incorrectly label some events as “threat” when they should not be.
  2. An apple is not always an apple in security: Even if we do tune well for both detection of all actual threat events (recall) and simultaneous minimization of false detection (precision), unlike image recognition or text, an apple is not always an apple in security. Outside the narrow scope of signature-based detection, behavioural anomalies and threat signals are manifest in real-work networks in a myriad of ways, which frequently vary based on specific configurations of infrastructure, IT policy, and user conventions.

A practical way to reduce false positives

Fortunately, there is an activity that is both essential to threat hunting and directly in support of false-positive reduction: identifying corroborating evidence. This is, in fact, one of the primary activities of the threat hunter and security operations center (SOC) operator.

However, an alert that fires on a network log, indexed by IP address, is difficult to correlate to information in the Active Directory log, let alone the Amazon Web Services (AWS) security log.

This is why it takes so long, and why the activity requires so much expertise that, as already mentioned, is difficult to recruit. 

What if all data were tagged on ingest with a device or user id, regardless of data source, and any information across the ecosystem related to entity association (user authorization, device registration, etc) were tracked and recorded, so that ALL events detected on a device or associated with a user could be not just searched but also automatically combined?

This would, in fact, be the set of corroborating evidence a threat hunter is trying to assemble.

Also, such a set of events could inform a model-driven Bayesian conditional probability of the likelihood that not just one event but a whole sequence of events, comprising, say, three distinct MITRE ATT&CK stages, has been detected within the past two days.

Such a likelihood function would yield a more robust and mathematically defensible measure of severity and confidence. 

Correlating detected network threats 

The correlation of detection analytics is one thing. Behavioural analytics enriched by human insights is another. This scenario gets us closer and closer to minimizing false positives and reducing the margin of error. 

Correlation across SOC analyst teams in a Collective Defence ecosystem drives home the difference between crying wolf and an urgent and real need to batten the hatches against the real wolves lurking the network. – March 11, 2021


Dean Teffer is IronNet’s vice president of Detection & Prioritization.

The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.


Photo credit: Lets Nurture

Subscribe and get top news delivered to your Inbox everyday for FREE