Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to reduce the false positives of safety products". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought. Let's study and learn how to reduce the false positives of safety products.

So what caused the false alarm?

According to the staff of the hanging mirror server guard, the most common cause of false positives is poorly configured or poorly adjusted security tools, such as SIEM, intrusion detection system, intrusion prevention system, terminal detection and response tools.

These systems make use of many attack detection techniques based on a set of predefined rules (such as known signatures, patterns, expected user behavior, etc.).

False positives often occur when a rule, signature, or pattern in these tools is defined too broadly or lacks some logic. According to the current logic to identify security events, it is easy to produce false threat event alarm.

The following seven basic habits are recommended for reference by enterprises or organizations to minimize false positives:

1) take the initiative to attack.

Become proactive in your threat management style, and if all you do is wait for the alarm to sound and disappear, you will spend your time dealing with false positives rather than discovering the real threat. Proactively discover threats, which is the only proven way to detect the latest network threats.

2) goal first

The correct use of alarm technology can greatly improve our ability to identify suspicious or malicious activities, which is also the goal that the guard of the suspended mirror server has been pursuing. However, many enterprises and organizations use this technology on a large scale, ignoring the key point of focusing on the type of threat you plan to detect.

Assess the risk and security needs of your business, and then apply alarm technology to the highest-risk threat events. Focusing on your ultimate goal, that is, the type of threat that is most relevant to your plan, will greatly reduce the false alarm rate.

3) High risk alarm is preferred

Prioritization is one of the best tools for SOC to reduce time waste caused by false positives. Alarms with the highest reliability and detection of high-risk events should undoubtedly be given priority.

Using this approach, analysts can deal with them separately according to their priorities, ensuring that the riskiest events are addressed first.

4) win-win thinking

Think of people as a cooperative group rather than competitive. Choose cooperative intelligence sources to bring different authenticity, relevance, and value resources to your security operations center.

(of course, choose wisely; if you are not careful enough to blindly integrate the resources of intelligence sites without evaluating their authenticity, the resulting false alarm rate will have a negative impact on the security operations center. )

5) pay attention to understanding

Dealing with false positives should begin with a comprehensive understanding of what threats existing tools are trying to deal with and how they operate. When using a tool, you should also be completely clear about why you deploy it, rather than making assumptions based on "common" situations, and never install a tool at its default settings.

6) Collaborative processing (using correlation)

In many cases, an event may not be enough to attract attention unless it is observed along with other events of interest. When this happens, you should use a well-defined set of correlation rules, and if each event meets all the correlation criteria, send only one alert to the analyst's processing schedule.

7) keep up to date.

Review previous alarms, continue to learn lessons, and better formulate alarm rules. Alarm review allows you to understand how to adjust and improve existing rules.

Today's network threats are very complex, and reducing false positives requires intelligent and targeted alarm logic to extract important events. Therefore, it is very important to continuously adjust this logic.

Although false alarms always exist in network security operations, it is possible to reduce the number of false alarms by following the above seven good habits.

Thank you for your reading. the above is the content of "how to reduce the false positives of safety products". After the study of this article, I believe you have a deeper understanding of how to reduce the false positives of safety products. The specific use of the situation also needs to be verified by practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.