Skip to main content

Section 6.1 False Positives / Negatives

To help combat security breaches, many different vendors offer security solutions. These may be hardware or software designed to help mitigate a security threat. Security solutions may be created in-house, created custom by a third party, or outsourced and offered as a service. When evaluating solutions it is important to have a plan and understand the features and possible pitfalls of that product.
When a security solution detects a threat, but no threat exists, that is a false positive. Depending on the complexity of the solution it may utilize a set of rules, indicators of compromise, or possibly even artificial intelligence to trigger its warning system. In the case of a solution that creates a lot of false positives, it can be tiring for a team to go through each alert. Eventually teams are conditioned to ignore the alerts, making the security solution useless.
The key to lowering the false positive rate of a system is to better tune the rule set used to trigger the warnings. A security team may spend time determining a baseline of events and looking for abnormalities that correspond to actual attacks. This information can then be used to build a better detection system.

Example 6.1.1. Webroot Antivirus.

In 2017 a popular antivirus service created a bad rule that identified certain Windows operating system files as threats.
 1 
www.nbcnews.com/tech/tech-news/popular-antivirus-program-mistakenly-ids-windows-threat-creating-chaos-n750521
The antivirus solution quarantined these files, which were critical for the operation of the machine. The result was a machine that was unusable.
For 13 minutes, Webroot distributed this rule to its antivirus software shutting down operations on an untold number of machines. Fortunately Webroot was able to quickly identify the problem and send out an update which would have allowed the machines to automatically fix the problem. Unfortunately their infrastructure for distributing the update quickly became overloaded.
When a security solution fails to identify a threat, this is known as a false negative. While no solution can ever be 100% effective, false negatives can undermine confidence in a product. False negatives may be resolved by a skilled SOC team, closely monitoring what is happening. It is also possible to address false negatives through Layered Security a concept that we will cover next.
You have attempted 1 of 1 activities on this page.