When is a False Positive Not a False Positive in Cybersecurity?

The phrase “false positive” has become so ubiquitous in Information Security that we often don’t stop to consider what it means or how it is used. Many use the term to describe every alert generated by a tool that does not lead to the discovery of a true infection when investigated. If every alert activated for trivial information is considered a false positive, this may overstate the intention and function of the tool and may even give the user a false sense that the tool has more features than it actually does. It is worth establishing a distinction, calling this type of notification a “trivial alert,” reserving the phrase “false positive” for correlated, contextualized, and evidence supported positive identifications of active infections which prove to be false. Taking the time to establish clear definitions may lead to a better understanding of what security tools can do and ultimately improve information security.

What do we call a false positive?

Users of security tools often expect those tools to provide the one alert that will lead them to a true infection in their network. However, these tools are often placed in a location which prevents them from being able to definitively confirm infections.  Instead, they alert on everything that might be a marker of infection to avoid missing the one indicator that does lead to an infection. This results in security analysts being flooded with hundreds of thousands or even millions of alerts per day, none of which provide enough information on their own.  

What’s the harm in not having a clear definition of a false positive?

Users of such security tools often refer to these trivial alerts as false positives. In order to use the common vernacular, vendors of those security tools may also refer to those alerts as false positives. Unfortunately, implying a product has false positives suggests that the product can verify an infection, which is outside the scope of most of these solutions.  Providing a more accurate definition and understanding of what constitutes a false positive  will give users of security tools a clearer method for evaluating the suitability of those tools for their environment.

What is a false positive?

The phrase “false positive” suggests that there was a positive that was proven false. However, these individual pieces of evidence, without context or correlation, are never actionable on their own. As noted above, alerts for such items are perhaps better termed trivial alerts. A true positive alert must be so serious that it gets the analyst out of their chair. A false positive must have gotten them out of their chair to investigate, only to find that nothing is actually wrong, proving that alert false.  A security solution of this nature should not only get the analyst out of their chair, it must also have a false positive rate low enough to maintain the trust of the user.

How do we get to that true positive alert?

In order to get an alert that can definitively prove an infection, a security solution must gather and analyze individual pieces of evidence, contextualizing them and gathering the requisite supporting evidence. From there, it must build an evidence-based case for an infection and provide a complete case, including all the evidence, to the user.

Does a security solution like that exist?

Core Network Insight is installed inside the perimeter, inside inner ring policy enforcement so that it can see the whole picture. It gathers the individual pieces of evidence that other tools alert on, weighs and analyzes them, building a case against each infected endpoint. This case includes evidence from twelve detection engines correlated, contextualized, and positively attributed to a specific endpoint. Network Insight also provides the name of the last user to log in to the infected endpoint, a full list of users who have logged into the infected endpoint, and a list of other endpoints each user has logged into.

Network Insight also calculates a business risk for each infection on each infected endpoint based on the infection related network activity, the value and risk posed by the endpoint, and the intent of the threat actor and activity of the malware. In other words, Network Insight connects the dots of all the various security events, creating a clear picture of a breach. These contextualized, correlated, and evidence supported alerts combined with a low false positive rate ensure that analysts don’t just get out of their chairs, they leap out of them.

Until users and vendors begin differentiating between trivial alerts and false positives, it’s important to remember that not all false positives are created equal.