Intrusion Detection System (IDS) False Positives – Consuming InfoSec Time, Effort and Budget

Many in the information security industry define an IDS false positive as a detection of an attack or malicious activity by an IDS/IPS that is actually benign.  This results in an alert/event that will require security staff to take some response.  Essentially, the identification of the attack by the IDS is technically legitimate, but there is no security issue.  In some cases, the IDS rule or statistical profiling is broad enough to identify attacks that are indeed non-issues.  While security staff can attempt to manage and refine their IDS to reduce said false positives, Security Information Event Management (SIEM) / log management systems can well serve alleviating this condition and reducing the respective administrative burden.

Security Information Event Management systems offer the means to automatically tag certain IDS false positives (which all IDS users contend with) via event correlation and exception management.  SIEMs can, and in real-time, identify false positive conditions which are comprised of:  (i) attacks against invalid systems, (ii) attacks against systems that are patched and no longer vulnerable, or (iii) attacks that are non-threats such as scheduled vulnerability scans.

An IDS may report a known Windows attack against a Linux system or a known attack against a patched system.  If your SIEM/log manager discovers and maintains current configurations (ala CMDB or configuration management database) and patch details – it can readily tag these incidents as a false positive.  Some SIEM/Log managers attempt to use vulnerability scanner data for this method of suppression – which is ok but usually not current (only good as of your last scan).  The SIEM/Log manager is also well positioned to handle exception management.  SIEM/log manager’s alert and suppression rules can be easily adjusted to accommodate identifying known internal scanners,  scheduled scans and penetration tests so as to eliminate additional false positive workload.

Some might argue that these IDS alerts are indeed valid reported attacks and not false at all.  But the real question should not be with the definition (the argument is somewhat moot).  The challenge is to reduce the noise – and to reduce any unnecessary workload that information security personnel will exert on verifying threats, exploited vulnerabilities and policy violations.

AccelOps offers advanced Security Information Event Management and Log Management functionality.  A better SIEM – beyond SIEM.  AccelOps captures and cross-correlates broad operational event data including configurations, network flow, syslog, security (including support for all major Intrusion Detection Systems and Intrusion Prevention Systems), virtualization, application and identity events.  AccelOps automatically tags benign IDS alerts as false positives by comparing CVE and target configuration and patch information to IDS/IPS events. We also have robust exception management and alert suppression rules intuitively presented through our consolidated Web console to address IDS/IPS false positives.  AccelOps’ multi-tenancy capabilities also have significant advantages for larger enterprises and manged service providers / managed security service providers; where by an IDS false positive suppression rule can be readily applied to multiple divisions / customers.

Since AccelOps’ Security Information Event Management functionality offer extensive cross-correlation, automated IDS false positive tagging,  and incident management and exception management capabilities, security analysts can spend less time, energy and funds managing IDS false positives – and focus on more pertinent incident investigation and compliance management activities.