Positives and negatives of security false flags

Wrongly identifying something as a security threat – or not – leads to reduced efficiencies, security team fatigue and unaddressed vulnerabilities in your system.

Johannesburg, 09 Nov 2023
Joshua Gardner, Operations Director, Iconis.
Joshua Gardner, Operations Director, Iconis.

In today’s digital world, security is of paramount importance, and protecting your network properly means building and maintaining an effective cyber security monitoring program, one that can identify false negatives and positives in malicious traffic analysis.

According to Joshua Gardner, Operations Director for Iconis, false negatives are the overlooked threats, potentially leaving vulnerabilities unaddressed and risking security breaches, reputational damage and compliance violations. Meanwhile, false positives generate unnecessary alerts, leading to fatigue, decreased operational efficiency and strained incident response teams.

“The challenge with false positives is that if you flag something wrongly, or classify it as malicious when it is not, you can overburden your security team. Worse still is a false negative, which may be malicious, but is flagged as fine. This can lead to critical data loss, which may severely impact the business in a multitude of ways,” he says.

“It can also lead to increased dwell time within your system, by the malicious code. Once flagged as fine, such code may stay dormant in the background of your system for a long time. It uses this access to learn more about your back-end environment, leveraging what it learns to expand its foothold and move laterally across the business environment, entrenching itself deeper into your system.”

Ultimately, notes Gardner, if your system is missing threats and classifying them wrongly, it means that your intelligence gathering is not reliable. Such failures reduce trust in your company’s security monitoring system and can even lead to regulatory and legal compliance issues.

“It is a similar case with false positives, although in such instances it most likely leads to alert fatigue – remember that when fatigue sets in, it becomes easier to miss a genuine malicious attack. The biggest threat from false positives is that it creates doubt in the security monitoring environment, while also wasting critical time and resources.

“The key to avoiding this lies in the fact that when the systems that provide security monitoring are deployed, it is imperative to clearly understand what you are trying to achieve. Remember that the system must be able to properly understand your environment before it can start to classify threats, or fine-tune and customise your environment.”

He suggests that businesses create a baseline and analyse data on security events as these occur. They should also tighten up the company’s security rules and policies, and consider taking advantage of machine learning and artificial intelligence (AI) to better classify these alerts. Ultimately, any threat monitoring system needs regular updates, in order to be aware of what is new, to identify the latest patterns of attack and, through this, to reduce false positives and negatives.

“One thing that remains crucial is your people. There needs to be a focus across the board on awareness and training, to ensure teams can understand the behaviours and patterns they come across in day-to-day work,” adds Gardner.

“We believe you need access to a platform that offers monitoring and visibility throughout your environment. You need to be able to understand your critical assets, and what potential compliance and regulatory issues they face. Once you clearly understand what high risk is, you will be better able to classify false positives and negatives, and more easily remediate threats.”

The key, he continues, is to benchmark against other organisations in the industry, to implement these best practices and to focus on reducing your attack surface. Remember that the fewer points that are vulnerable, the harder it is for bad actors to break in.

Another issue is regulatory and legal compliance, which is becoming increasingly vital, in order to avoid the punishments for non-compliance that are being handed out by regulators around the world.

“I would say the first step is for companies to genuinely understand what their business goals are. Based on this, they can then craft policies and procedures, and create a platform to ensure these are adhered to.

“Perhaps the simplest advice is to choose a trusted advisor that can assist you with a proper gap analysis – so you understand where you stand currently – and can then help to apply the most appropriate framework for your business and industry. Such an advisor will not only understand threats more clearly, but will help you adapt your policies and eliminate existing problems, thereby ensuring your organisation’s improved compliance health,” he concludes.