Security teams have a lot of noise and false positives to deal with in their day-to-day jobs. Every organization is managing thousands of alerts each month — and that’s in an ideal scenario, with cybersecurity monitoring and detection systems picking up anything potentially suspicious. Some organizations are dealing with this volume on a daily basis, making it nearly impossible to stay ahead of possible threats.

The reality is that every alert has the potential to be a serious cyber incident. 

In an ideal scenario, every alert is investigated. For an internal SOC team, tasked with maintaining the organization’s operations and security infrastructure, this alert triage typically falls to the Tier 1 SOC analysts. If a SOC team can’t manage the volume of alerts they’re often forced to rely on a Managed Detection & Response provider (when they can afford it) to handle at least some of the tasks associated with alert triage, incident response, and threat hunting. 

Complicating this already-challenging situation is the fact that nearly half of these alerts turn out to be false positives. They’re often legitimate actions that have been erroneously flagged by security tools as potential threats. These false positive alerts divert attention away from actual issues and waste valuable staff time, resulting in what the industry has termed “alert fatigue.”

The Time Suck of False Positives

How does this happen? Typically, normal activity is flagged as suspicious when security tools aren’t configured well, or when they mistakenly recognize legitimate activity as suspicious. There are completely valid applications that perform commands which can raise red flags – for example, a specific network activity, API hooks, or an injection to a remote process. 

The real issue at hand is that security teams are distracted by such false positives, leading to millions of dollars that are unnecessarily wasted by companies each year. Even worse, some companies aren’t able to manage the volume — leading to security teams ignoring alerts or disabling certain flags, which in the end can leave them exposed to serious attacks. Under intense pressure and the weight of the budget, staff and skills required to deal with this massive amount of alerts, some companies are left making difficult decisions that could lead to irreparable harm. After all, the attack a company misses might not only cost them in lost revenues or hefty fines; it might also forever tarnish their professional reputation.

Solutions for Catching Legitimate Threats and Avoiding Alert Fatigue from False Positives

Traditionally teams are forced to spend time manually investigating and verifying each false positive, with the triage tasks falling to internal Tier 1 analysts or potentially an MDR provider (which are often expensive services). But constantly wasting time and budget on false alerts drives teams to develop best practices for managing false positives, new ways to tune detection tools, and automatically verify false positives.

Until now, the only way to deal with false positives has been a mitigation approach: accepting that a significant volume of alerts will continually appear, with the understanding that best practices are really all companies have to guide them. Those best practices for reducing false positives include constantly reviewing threat parameters, automating processes, and adding “ignore” rules to a SIEM, EDR, or other alerting tools. 

Let’s take an example. In the below video, we showed a case where we automatically identified that 40.63% of the alerts were false positives. (At the same time these false positives were identified, Intezer’s solution for Autonomous SecOps also triaged the remaining alerts, identifying threats as confirmed malicious with 

There is a more sophisticated and accurate way to approach this problem. The Intezer Analyze™ solution specifically for incident response teams, and it was built by incident response experts with vast knowledge of the challenge at hand. Imagine possessing a tool that, in a matter of seconds, has the capacity to reverse engineer any file–executable or full memory–and integrate with your SOC automated tools. What if you had a platform that could help minimize other systems’ erroneous flags by recognizing code originating from legitimate software sources? The result: your team would be able to concentrate on real threats only.

A subscription-based SaaS product, Intezer Analyze™ provides rapid malware detection and analysis through a simple online API access. The tool functions as a plug-and-play solution for any process within your organization’s incident response plans or daily cyber security monitoring, requiring no onsite deployment. The long hours of dealing with erroneous flags are over, as quickly and easily recognizing true threats versus code from legitimate software sources with Intezer will undoubtedly transform the productivity of any security team.

Editor’s Note: This post was originally published in 2017 and was recently revised and updated for accuracy and comprehensiveness.