Skip to main content
Core Security Logo Core Security Logo
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Cyber Threat

      Products

      • Core Impact Penetration testing software
      • Cobalt Strike Red team software
      • Event Manager Security information and event management
      • Network Insight Network Traffic Analysis
      • Powertech Antivirus Server-level virus protection
      • Security Auditor Security Policy Management and File Integrity Monitoring Software

      Solutions

      • Penetration Testing
      • Penetration Testing Services
      • Threat Detection
      • Security Information and Event Management
    • Penetration Testing Services Security consulting services
  • Identity

      Products

      • Access Assurance Suite User provisioning and governance
      • Core Password & Secure Reset Self-service password management
      • Core Privileged Access Manager (BoKS) Privileged access management (PAM)

      Solutions

      • Privileged Access Management
      • Identity Governance & Administration
      • Password Management
    • See How to Simplify Access in Your Organization | Request a Demo
  • Industries
    • Healthcare
    • Financial Services
    • Federal Government
    • Retail
    • Utilities & Energy
    • Higher Education
    • Compliance
  • Resources
    • Upcoming Webinars & Events
    • Blogs
    • Case Studies
    • Videos
    • Datasheets
    • Guides
    • Ecourses
    • Compliance
    • All Resources
  • CoreLabs
    • Advisories
    • Exploits
    • Publications
    • Articles
    • Open Source Tools
  • About
    • Partners
    • Careers
    • Press Releases
    • Contact Us
  1. Home
  2. Blog
  3. When is a False Positive Not a False Positive in Cybersecurity?

When is a False Positive Not a False Positive in Cybersecurity?

The phrase “false positive” has become so ubiquitous in Information Security that we often don’t stop to consider what it means or how it is used. Many use the term to describe every alert generated by a tool that does not lead to the discovery of a true infection when investigated. If every alert activated for trivial information is considered a false positive, this may overstate the intention and function of the tool and may even give the user a false sense that the tool has more features than it actually does. It is worth establishing a distinction, calling this type of notification a “trivial alert,” reserving the phrase “false positive” for correlated, contextualized, and evidence supported positive identifications of active infections which prove to be false. Taking the time to establish clear definitions may lead to a better understanding of what security tools can do and ultimately improve information security.

What do we call a false positive?

Users of security tools often expect those tools to provide the one alert that will lead them to a true infection in their network. However, these tools are often placed in a location which prevents them from being able to definitively confirm infections.  Instead, they alert on everything that might be a marker of infection to avoid missing the one indicator that does lead to an infection. This results in security analysts being flooded with hundreds of thousands or even millions of alerts per day, none of which provide enough information on their own.  

What’s the harm in not having a clear definition of a false positive?

Users of such security tools often refer to these trivial alerts as false positives. In order to use the common vernacular, vendors of those security tools may also refer to those alerts as false positives. Unfortunately, implying a product has false positives suggests that the product can verify an infection, which is outside the scope of most of these solutions.  Providing a more accurate definition and understanding of what constitutes a false positive  will give users of security tools a clearer method for evaluating the suitability of those tools for their environment.

What is a false positive?

The phrase “false positive” suggests that there was a positive that was proven false. However, these individual pieces of evidence, without context or correlation, are never actionable on their own. As noted above, alerts for such items are perhaps better termed trivial alerts. A true positive alert must be so serious that it gets the analyst out of their chair. A false positive must have gotten them out of their chair to investigate, only to find that nothing is actually wrong, proving that alert false.  A security solution of this nature should not only get the analyst out of their chair, it must also have a false positive rate low enough to maintain the trust of the user.

How do we get to that true positive alert?

In order to get an alert that can definitively prove an infection, a security solution must gather and analyze individual pieces of evidence, contextualizing them and gathering the requisite supporting evidence. From there, it must build an evidence-based case for an infection and provide a complete case, including all the evidence, to the user.

Does a security solution like that exist?

Core Network Insight is installed inside the perimeter, inside inner ring policy enforcement so that it can see the whole picture. It gathers the individual pieces of evidence that other tools alert on, weighs and analyzes them, building a case against each infected endpoint. This case includes evidence from twelve detection engines correlated, contextualized, and positively attributed to a specific endpoint. Network Insight also provides the name of the last user to log in to the infected endpoint, a full list of users who have logged into the infected endpoint, and a list of other endpoints each user has logged into.

Network Insight also calculates a business risk for each infection on each infected endpoint based on the infection related network activity, the value and risk posed by the endpoint, and the intent of the threat actor and activity of the malware. In other words, Network Insight connects the dots of all the various security events, creating a clear picture of a breach. These contextualized, correlated, and evidence supported alerts combined with a low false positive rate ensure that analysts don’t just get out of their chairs, they leap out of them.

Until users and vendors begin differentiating between trivial alerts and false positives, it’s important to remember that not all false positives are created equal.

Related Products
Network Insight
Related Content
What is NTA? (thumbnail image)
Blog
What is Network Traffic Analysis?
security-locks-with-open-lock
Blog
Missing Critical Threats in Your Network? Here’s How to Quickly Detect Active Infections
lock-in-city-scape
Video
3 Signs You’re Missing Critical Threats in Your Network
Computer with ransomware
Guide
How to Identify Compromised Devices with Certainty

Ready to eliminate false positives?

CTA Text

See how Network Insight automatically and accurately identifies hidden infections in real time on live traffic with a personalized demo.

REQUEST A DEMO
  • Email Core Security Email Us
  • Twitter Find us on Twitter
  • LinkedIn Find us on LinkedIn
  • Facebook Find us on Facebook

Products

  • Access Assurance Suite
  • Core Impact
  • Cobalt Strike
  • Event Manager
  • Browse All Products

Solutions

  • Identity Governance

  • PAM
  • IGA
  • IAM
  • Password Management
  • Vulnerability Management
  • Compliance
  • Cyber Threat

  • Penetration Testing
  • Red Team
  • Phishing
  • Threat Detection
  • SIEM

Resources

  • Upcoming Webinars & Events
  • Corelabs Research
  • Blog
  • Training

About

  • Our Company
  • Partners
  • Careers
  • Accessibility

Support

Privacy Policy

Contact

Impressum

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.