Phishing and the Cost of False Alarms
“False positives can be more costly than a malware infection,” writes Ondrej Kubovič at We Live Security. The question is, how can you keep error rates low, uphold detection rates, and still maintain top-notch protection? According to Kubovič, a well-tuned security solution coupled with experienced human supervision is the answer.
The most vulnerable and easily exploitable targets for phishing are endpoint applications like email and browsers. Protecting these endpoints costs money; not just capital investment in an effective security stack, but time spent monitoring and maintaining it. Every moment spent addressing false positives is time taken from an organization’s team to address ongoing and new security issues. Some of these hidden costs include:
- Staff salaries to address alerts (both positive and negative alerts)
- Expensive detection software, including license fees
- Employee training costs
- Remediation costs and patches when loopholes are found
- Rebuilding and configuring compromised devices
- Cost of repeatedly rewriting ineffective alert rules
- Cost of complacency created by a false sense of security, and later uncertainty created by a realization the system is not working
- Threat alert fatigue
According to Malwarebytes Labs, the most common causes of false positives are:
- Heuristics. Decisions are made with too little (and possibly only approximately correct) information
- Behavioral analysis. Decisions are behavior-based, and legitimate behavior is incorrectly flagged as malicious behavior, for instance, an abnormal increase in website traffic could be mistaken for a DDoS attack
- Machine learning. Sometimes, artificial intelligence solutions don’t take all situations into account
It is not just the hidden costs of false positives; they can also cause threat alert fatigue, which can directly result in a costly breach. As reported by CSO Online, Rob Kerr, chief technology officer at Haystax Technology, suggests threat alert fatigue could have contributed to the famous 2013 Target breach: “There were many missteps before the breach happened, but a big one was that Target missed internal alerts — only finding out about the breach when they were contacted by the Department of Justice.”
Despite the fanfare around automated solutions, humans clearly still have a role to play in identifying false positives, and developing technology solutions and strategies to combat them.
In this article, we will consider ways an organization can find solutions that mitigate the costs of too many false positives (often ones that use aggressive detection techniques) or too many false negatives. The answer appears to lie in a three-pronged approach: bolstering security, utilizing detection and response automation software more effectively, and using humans for analysis and planning.
Hidden Costs of Insecure Endpoints
A 2015 Ponemon study, “The Cost of Insecure Endpoints,” found the hidden cost of false positives in endpoint security alarmingly high.
- The study found that an organization may receive up to an average of 615 endpoint alerts a week and up to 55 percent of security alerts were considered unreliable, even wrong
- One of the hidden costs was time wasted responding to false positives, an average of 425 hours a week. The cost to organizations in time wasted responding to false malware alerts was around $1.37 million annually. Only a third of respondents said they were very effective in minimizing false positives in the detection of insecure devices
- Only 40 percent of respondents said their organization relied on automated tools to evaluate malware threats. Sixty eight percent of this group believed malware containment could be handled by automated tools. The main reasons organizations did not have automated solutions were cost and not having the staff to manage them.
Hidden Costs of Detect-to-Protect Security
Research by Bromium and Vanson Bourne puts the average annual cost of detection-based security for a 2000-person organization at $16.7 million. This cost is made up of $345,000 in technology costs and a whopping $16.3 million in human costs. The study found that 75 percent of the estimated one million alerts a year were false positives.
How Can an Organization Mitigate the Costs of False Alarms?
Beef Up SecOps
Joseph Loomis at Cybersponse argues that instead of organizations only throwing money on software solutions, they need to take a more balanced approach. “We all know that the majority of marketing today promises to solve all your problems if you only use their product … We’ve all heard it before, the point solution era is simple over and done with. Let it die gracefully.” Instead, he makes some suggestions about how SecOps can work smarter:
- Make sure all relevant team members review new security playbooks. The more “eyes,” the better
- Confirm rules and configuration settings as silent rules before committing them so you can check if they are working as they should. This will be less disruptive to the company in the long-term. You can keep testing silent rules until they return no false positives.
- Be prepared for changes. Communicate with other departments to make sure they are not planning anything that could be misconstrued by the system as an attack, e.g. a massive new ad campaign expecting increased numbers of hits on an organization’s website
- SOC team members should be proactive and be on the hunt for anomalies and suspicious behavior, not just rely on identifying known threats and signatures
Create an Infrastructural Zone Defense
The Open Source Cybersecurity Playbook, written by Pete Herzog, focuses on creating a zone defense. Some suggestions:
- Separate services and assets by department and whitelist system access to them by creating logically- and physically-separate zones
- Personal certificates and private keys should be used to create zones across remote accounts. Use a “secret sentence” to harden the security of root access to external systems.
- Use CAPTCHA to protect zones from compromised access attempts
- Create separate zones for executable and read/write files
- Zone working times by shutting the system down when people are not working in it
- Ensure work and personal devices are zoned separately
Design Your Own Phishing Response Playbook
InfoSec Institute has written a phishing alert playbook that outlines the steps an organization should take in response to a phishing attack. Comments author Ravi Das: “Avoiding such types of threats in the future takes a combination of both making sure that your security technology is up to date, and that your employees are taught how to have a proactive mindset in keeping their guard up for any suspicious types and kinds of activity and to report them immediately.”
Isolate Application Malware
Virtualization-based application isolation security provider Bromium suggests a virtualization-based security solution:
- Eliminate false positives – Get high-fidelity alerts
- Don’t patch to protect – Return to regular patch cycles
- Stop reimaging machines – Prevent machines from getting owned
- Reduce triage time – Get real-time forensics with kill-chain analysis
For an introduction to the concept of isolating applications, read the IEEE Computer and Reliability societies’ article, “Sandboxing and Virtualization – Modern Tools for Combating Malware.” (See Sources.)
According to the authors, Chris Greamo and Anup Ghosh, trust exploitation techniques (like phishing) will not be avoided by traditional sandboxing. However, partial or full virtualization will ensure that if an application is exploited, “the attacker only succeeds in gaining access to the guest environment’s data, applications, resources, and OS, not the underlying host’s.”
Virtualization solutions make good security sense, but there are drawbacks. Writing for Tech Target, Michael Cobb warns, “One drawback of virtualized applications has been that they can’t communicate with each other, as they’re operating in their own virtual bubble. So for example, if a user is running virtualized Microsoft Word, any Web links in the document won’t work since Word won’t be able to open Internet Explorer. Solutions and workarounds for these productivity limitations are appearing, but from a security standpoint, they weaken the benefits of application virtualization.”
Implement Automated Incident-Response Software
G2 Crowd provides detailed reviews of free and paid incident response applications, but there are many free options available out there too:
- MIG (open-source): MIG is Mozilla’s cross-platform tool for investigative surgery of remote endpoints. It is composed of agents which are installed on all systems of an infrastructure and query the file-systems, network state, memory or configuration of endpoints. It is well-documented and claims to be extremely fast.
- TheHive (open-source): A scalable 3-in-1 security incident response platform and a powerful collaboration tool for first responders. Using TheHive, colleagues can work on the same case together in real-time and create hundreds of observables, which can then be analyzed across the organization.
- CimSweet (open-source): Designed for remote proactive hunting operations and to facilitate fast incident response. It works on all versions of Windows. The software is a work in progress and worth watching or even joining in the development process. It’s a great opportunity for an organization’s staff to get hands on experience about how incident software response works.
Never Forget the Human Factor
Cyberattacks may be all about technology, but they were created by other humans, and there may be a human element you’re missing. Consider a penetration test, which will give you an example attack where the attacker reports back to you afterwards and tells you what you could be missing.
Organizations wanting to cut the hidden costs of false positives need to go back to the drawing board and tweak their cybersecurity strategy. The solution appears to lie in a three-pronged approach:
- Bolstering security: Depending on their individual requirements and existing infrastructure, companies can adopt alternative or add new cyber-strategies, e.g. virtualization-based application isolation, to their security arsenal.
- Utilizing detection and response automation software more effectively: Organizations should have a multifaceted security strategy that includes both defensive and proactive detection capabilities
- Using humans for analysis and planning: Artificial intelligence is a powerful tool for big-data crunching and analysis, but it takes a human to confirm a false positive or false negative and keep feeding the machine with the rules to detect anomalies.
False positives can be more costly than a malware infection, We Live Security
Explained: False positives, Malwarebytes Labs
False positives still cause threat alert fatigue, CSO Online
Inside knowledge likely in Target breach, experts say, CSO Online
Research Uncovers the Hidden Costs of Detection-based Cybersecurity, Bromium
Our research, Vanson Bourne
Eliminating Cyber Security “False Positives” within the SOC, Cybersponse
Best Practices for Developing a Cyber Security Playbook, CNS Group
The Open Source Cybersecurity Playbook, Pete Herzog
Sandboxing and Virtualization: Modern Tools for Combating Malware, IEEE
What risks do application virtualization products pose?, TechTarget