Cygilant Blog

One of the Biggest Headaches In Cybersecurity: False Positives

Posted by Shawn O'Brien on Mar 23, 2016



False positives. Those pesky notifications that make you panic at first, but then after some investigation, you discover that they’re actually nothing at all. This may seem like a minor inconvenience, but just imagine what it’s like when you have to deal with this multiples times a day and you have no efficient way to remove this type of noise from your reports! A false positive is any normal or expected behavior that is identified as anomalous or malicious. This article from Symantec offers several common examples of what causes false positives:

  • Reactionary Traffic alarms: Traffic that is caused by another network event, often non-malicious. An example of this would be a network-based intrusion detection system (NIDS) device triggering an Internet control message protocol (ICMP) flood alarm, when it is really several destination- unreachable packets caused by equipment failure somewhere in the Internet cloud.
  • Equipment-related alarms: Attack alerts that are triggered by odd, unrecognized packets generated by certain network equipment. Load balancers often trigger these types of alarms.
  • Protocol Violations: Alerts that are caused by unrecognized network traffic, often by poorly or oddly written client software.
  • True False Positives: Alarms that are generated by an intrusion detection system (IDS) for no apparent reason. These are often caused by IDS software bugs.
  • Non Malicious alarms: Generated through some real occurrence that is non-malicious in nature.


While false positives may not seem like a big problem, the truth is that they’re actually a major problem! The main downside to the false positive issue is that the creation of so many of these alerts can easily drown out legitimate IDS alerts. Something as simple as a single rule that causes false positives can easily create thousands of alerts that need to be investigated as a potential threat and in turn, take time away from identifying real threats. And more often than not, the alerts for rules that cause these repeated false positives are habitually ignored or disabled over time. In doing so, the organization is now effectively blind to the attack the problematic rule was looking for! If a hacker were to discover this avenue of attack, they could essentially move through a company’s network undetected until it was too late.


Unfortunately, false positives will continue to exist, but they can also be limited by the skill of the person writing the signatures or check logic. So what’s the best route to take in order to avoid the detrimental effects of false positives? The answer is a healthy combination of a security monitoring and vulnerability management services. And that’s where Cygilant can help mitigate these challenges for you.

SOCVue Security Monitoring Service

SIEM and log management are the baseline of any cybersecurity program. Still, who has time to sift through hundreds or sometimes even thousands of activity logs showing the same event data each day, including those pesky false positives? Cygilant’s SOC Team does! In today’s growing threat landscape, you need to have a security monitoring service that’s capable of creating a baseline of your normal network behavior and can detect any abnormal behavior that occurs, especially false positives. Our SOCVue Security Monitoring service provides 24x7x365 security monitoring that translates your network activity into daily and monthly security reports that offers a deeper view into your network. In doing so, it effectively removes the noise of challenges such as false positives so you can see exactly what’s going on in your network. After all, what you can see can’t hurt you!

SOCVue Vulnerability Management Service

Having an effective security monitoring service is good, and combining it with a vulnerability management service will make your network even stronger. The reality of cybersecurity is that there isn’t a network out there that doesn’t have at least a few weak links in it. And if your security analyst is ignoring or disabling those alerts for rules that are causing repeated false positives, regular vulnerability scans of your network can greatly improve your security posture. Cygilant’s SOC Team does this as well! You need a leading vulnerability scanning service to ensure that scans are comprehensive and that the vulnerability database is up-to-date with the latest zero-day threats. Our SOCVue Vulnerability Management service uses best-of-breed technology from Qualys to provide regular scanning of critical IT systems for known vulnerabilities and then prioritizes those vulnerabilities based on your unique business, compliance, and security needs. Once you remove the noise caused by false positives, you can find the vulnerabilities that may have been hiding in plain sight.


More and more, organizations who were previously understaffed, underbudgeted, and overwhelmed are finding that Cygilant's security as a service that combines the best people, process, and technology are a welcome change from going it alone. Cygilant is transforming how mid-market organizations build enterprise-class security programs. Acting as an extension of our customers’ IT teams, Cygilant's SOCVue provides continuous security operations based on best-of-breed technology at a fraction of the cost of alternative solutions. Cygilant is a trusted advisor to organizations that need to improve their IT security and compliance posture by protecting their infrastructure against cyber threats and vulnerabilities. To learn more, please request a demo today!


Request a Demo


Tags: Cybersecurity, InfoSec, Cyber Threat, IT Security, False Positives

Most Recent Posts

Subscribe to Email Updates