A false positive is a cybersecurity alert that suggests an incident is underway where none actually exists. By comparison, a trivial true positive is an alert that is technically true, but largely irrelevant.
Which one is worse? In the grand scheme, it may not matter as both deplete the finite time and resources available to the security operations center (SOC) to triage, prioritize and investigate the deluge of alerts.
As the infographic nearby illustrates, many SOCs face an overwhelming volume of cybersecurity alerts. One study found larger enterprises encounter “1.3 million vulnerabilities every 30 days” and “64% of threat alerts are not addressed each day.”
Another study found more than half of security pros “are forced to ignore security alerts worthy of further investigation because they don’t have the staff and expertise to handle them.”
At Bricata, we believe the answer rests in understanding the context of a security alert. This means understanding a threat from multiple perspectives, and enriching security alerts with network metadata that helps the SOC understand behavior for example.
The complete infographic is embedded nearby.
Download our new eBook: Preventing Attacks from Spreading
Get the tips you need to raise your game in defending against unknown threats.
If you enjoyed this post, you might also like:
Morphing Network Security: 5 Takeaways from an SC Media Webinar