Reducing IDS False Positives

There are situations in which too much information is a genuine problem. For security professionals utilizing intrusion detection systems (IDS), the excess of information comes from alerts generated by anomalous but acceptable behavior, or alerts that may be of concern but lack sufficient context to warrant immediate action.

The problem is more than an annoyance. Alert fatigue and even burnout are very real concerns in an industry where talent is already stretched thin and often overworked. Responding to false positives can also lead to disruptions of normal business activity and pull analysts away from more immediate problems. When the reality of cyber attacks that evade detection is factored in (especially “false negatives”), the need for more efficient and smarter alerting systems is evident.

Make no mistake: IDS alerts—or alerts generated by other security tools, such as network detection systems (NDR), are essential to a strong cyber defense. But as networks and security stacks become more complex, analysts will depend on a combination of tactics and smarter tools to reduce alert system noise while zeroing in on true positives and real threats faster.

What is a false positive, and how does it occur?

Intrusion detection systems monitor the network, a device operating system, cloud environments, protocols, or a hybrid system. It may search for known attack signatures (signature-based detection) or patterns that suggest anomalous, or malicious, activity (anomaly-based detection).

When the system detects suspicious behavior or signatures, it is the initial step in an incident response cycle. It’s up to the security team to investigate the incident and, if it represents a legitimate threat, take steps to remediate and recover from any damage.

As traffic increases and networks become more complex, the number of generated alerts correspondingly increases. The average security operations center (SOC) receives around 10,000 alerts per day. But in many cases, the alert is a response to non-threatening, legitimate behavior. A user with access to proprietary files who forgets a password, and makes multiple attempts to enter it, might be mistaken for a brute-forcing attempt. The behavior is benign, but anomalous, so it’s likely to generate an alert.

How false positives increase cyber risk

The most serious threats presented by false positives occur when security teams feel overwhelmed and unable to distinguish between likely harmless alerts and those that require investigation, either because they are evidence of malicious activity or misconfigurations that impact network performance.

When there is an active threat, timing is everything. Even experienced responders need sufficient context from the outset to distinguish critical alarms from noise. They depend on methods that generate context that can make false positives easier to anticipate and detect.

True or false in IDS: Definitions


True positive:	When a genuine attack in the system produces an alert, giving security teams a signal to act in an urgent situation.
True negative:	The absence of alerts when only acceptable behavior is occurring, leaving security teams alone to focus on other issues.
False positive:	Any situation in which acceptable usage or behavior in a network or device generates an alert, potentially diverting security teams from necessary tasks and wasting their time.
False negative:	When an IDS or other security tools interpret malicious activity as normal or acceptable, and allows a bad actor to continue operating.

How can security teams keep the focus on true positives and true negatives?

An excess of false positives is an indication that a security team’s resources are being stretched thin, and that the overall security posture of the organization is not where it should be. Fortunately, there are actions that can be taken that will help streamline alerting systems and make IDS and other security tools more efficient:

Regularly adjust and aggregate IDS rules. Threat hunting and detection is an iterative process. As security teams learn more about how their systems normally operate, adjustments can be made, and meta rules can be written that can help with pattern recognition. Additionally, scans can be correlated so that security teams may infer that alerts that initially seem to be unrelated may be indicative of escalating malicious activity. Above all, security teams need to make sure they aren’t relying on default rules that have no useful application to the systems they monitor.
Regularly tune IDS alert features. When it comes to detections, a larger number of them does not necessarily translate to more value. Security teams should carefully consider whether every detection capability should be enabled, and should schedule regular tunings of the system to hedge against the possibility of alert fatigue and advantage shifting to the adversaries.
Maintain and update IDS databases. Not only can updates contain patches, bug fixes and new features, they also can include new attack signatures and intelligence from the security community at large. Teams that deploy open-source tools, such as Corelight’s Open NDR Platform, are particularly well-positioned to benefit from a regular, community-driven update approach. Regular updates can also help security teams assess whether IDS controls are still aligned with the enterprise’s requirements and policies.
Reduce background noise. As with most work streams, a security team’s success often depends on prioritization. In complex systems, IDS reporting must do some of the filtering out alerts that come from monitoring normal web traffic and issues that do not require immediate attention. IDS controls should help bolster a team’s confidence that alerts of potential consequence are rising above the noise.
Streamline network configurations.The more there is to monitor, the more likely it is that algorithms or people will detect anomalous behavior and generate alerts. Whatever simplifications you can apply (e.g., removing subnets or unneeded firewalls) will reduce the total number of alerts and the likelihood of alert fatigue.
Undertake analysis. IDS logs can help make sense of past behavior. If a security team has been inundated with false positives, they can review and analyze logs for evidence of false alarm patterns, and adjust controls accordingly.

Bring true positives into focus with Corelight

Given their critical function and the demands on their time, security teams need to leverage tools that will help expedite alert response and provide valuable evidence and context that can help identify false positives quickly. Wherever possible they should try to leverage the value of open-source tools for asset discovery and alert rule settings.

Corelight’s Open NDR Platform fuses signature-based IDS alerts from Suricata with Zeek^® network evidence to provide security teams with essential context and community-driven attack data, and formats all metadata and extracted files for input into any security information and event management (SIEM), extended detection and response (XDR), or Investigator—Corelight’s Open NDR SaaS analytics solution. The packaged alert and pertinent network evidence includes a unique key that makes it easy for analysts to find related data via basic queries.

With this tool configuration, any fired alert is packaged with all pertinent network evidence, providing essential context within acceptable response parameters while also providing correlation to improve future analysis. Correlated alerts can be fed into machine learning models that can help reduce the number of false positives and also identify new threat patterns.