Understanding False Positives
StratoZen espouses a near-zero false positive rate of alerting in our SIEM and SOC as a service environment to our clients. That is a pretty bold statement, one challenged frequently as a result of a misunderstanding. So, what exactly is a false positive?
A false positive, in its simplest definition from Merriam-Webster dictionary, is “a result that shows something is present when it really is not.” StratoZen utilizes this definition in our belief of what constitutes a false positive. Yet, misunderstandings still exist in the industry. The best way to understand this definition is to review some common scenarios giving rise to misunderstandings.
Scenario 1: The Actual False Positive
In this case, the definition is followed directly. For example, an IP address that was alerted as being a malicious attacker is actually a customer client who was recently assigned the IP address from their Internet Service Provider. The false aspect of this drives from the previous assignee of the IP being known for hacking behavior and the re-assignment did not catch up with the alerting system.
Scenario 2: The PenTester
Here, an IP address is reported through alerts as conducting surveillance activity including a port scanner. After further investigation, it is learned that the IP address traces back to a legitimate penetration testing firm hired by the client. This is NOT a false positive, even though the activity was benign. The alert did show nefarious activity that was unexplained therefore generating the associated alert. This would be considered a false positive if the client had alerted StratoZen that it planned the activity and didn’t want to be alerted.
Scenario 3: The “Can’t Do Anything “
This is a rather frustrating scenario for our partners. StratoZen alerts on actual nefarious activity. However, the partner is not in a position to change firewall rules to block the activity due to customer direction. StratoZen continues to alert as the activity is malicious in nature. Sadly, the partners’ hands are tied until action can be taken on the firewall. The alert and underlying activity are positive indicators of compromise and therefore not a false positive.
Scenario 4: Internal Port Scan
StratoZen detects and alerts on an internal machine conducting a port scan. The internal machine is not listed as a known, authorized vulnerability assessment asset. After investigation, it is determined that the machine belonged to a bonafide, power user employee who was curious about what was on the network. This is not a false positive in that StratoZen alerted to suspicious activity within the internal network that revealed a potential internal threat; a power user conducting unauthorized scans. The question from this example is what else would that “power user” be doing in their free time.
StratoZen’s alerts are carefully tuned to rule out the mundane noise of network traffic. It is our experience that if an alert is triggered, there is a very good reason behind the firing. This must be investigated thoroughly. No alert should be ignored based on the idea that it is a false positive without an explicit understanding of the underlying events causing the trigger.
Chris Gebhardt, Vice President of Cybersecurity Operations, StratoZen
Chris Gebhardt is a former Police Lieutenant for the Washington DC Metropolitan Police Department and SWAT Team Leader in Utah. He is currently Vice President of Cybersecurity Operations for Stratozen, a SOC-as-a-Service provider in Draper. Chris was exposed to technology early in life growing up in New York. His career focused on the use of technology and security for government and corporate entities including the FBI, DOJ, BJS, eBay, Jet.com, and numerous private equity firms. Chris is a dynamic speaker often challenging the widely held beliefs of the cybersecurity community. He is experienced with SOC 2, SOX, HIPAA, GDPR, ISO, and other compliance frameworks.