Nothing makes security look worse than the false negative – when we miss an attack and damage is suffered. As security professionals, it’s something we all obsess a lot about. However, the number two thing that makes us look bad is the false positive.
We experience this all the time in the physical world. A few months ago, I went to buy a new stove. My credit card was declined because of the large purchase amount. When I got on the phone with the bank’s fraud department, I was unable to “prove” I was who I said I was, which resulted in me having to visit one of their branches to verify myself. I no longer use this bank’s services. Too bad, since I’d been a customer for decades, but if the card won’t work when I need it to, why bother? And this is security’s bane: the false positive that is so frustrating, it drives a loyal customer away.
As defenses increasingly become automated and human intervention declines, the cyber-world is going to inconvenience more users with false positives. As any sysadmin who has been awakened at 3 a.m. by an automated failure alarm will tell you, the technology of detecting authentic incidents is far from perfect. It’s even worse in the adversarial battlefield of cyber-security where attackers are constantly improving their tactics. Consequently, our defensive tools are always playing catchup and misfiring because of it.
Antivirus software has a history of deleting or blocking legitimate files. Outbound content filters have been known to occasionally block innocuous websites. Users on a website get misidentified as bots and shunned, perhaps because they use old browsers or run suspicious browser extensions. Genuine web monitoring services get rejected by the firewall. And who hasn’t been locked out of their work by an authentication system? It’s all par for the course, up until it’s an Executive VP whose work is disrupted by a false positive at the wrong time. Then the security department really hears about it. Even in the best of times, false positives slow down work flow and create a drag on performance.
Of course, defenders and security vendors do their absolute best to drive false positives to zero. However, the worst case of a false negative and the cunning of attackers to sneak past is going to mean that your settings on a security control is always going to favor safety over convenience.
It gets worse, though, because attackers know about this choice and will use false positives to distract defenders and their activities. Like in the original Thomas Crown Affair, a crook can intentionally set off an alarm repeatedly to trick guards into turning it off.
Since false positives are a reality in the security world, we should be intentional and proactive in the way we deal with them. First, we need to recognize that false positives are a part of a dial that we can tune up and own in our security controls. This means the business should understand the trade-off equation between the risk of cyber incidents and the loss of capability or revenue. Being clear about the limitations of our technology and what that entails is an important conversation to have with leadership.
Speaking of technology, security controls should be introduced carefully with a keen eye to testing, tuning, and user feedback. This doesn’t mean leave a control in transparent, alert-only mode forever as this jams the lever back towards false negative. It means taking time to understand a security control and its implications as it relates to your organization and how it does its work.
Third, recognize that since it’s almost inevitable that you will get false positives, be sure to set up a vigorous and effective recovery mechanisms to get folks back up and running. Put humans in the loop and empower them to respond effectively. This is where the bank failed in my false positive example. Part of that response is to apologize for the disruption. You can even spin this as a way your organization is being vigilant. But do remember, your control has interrupted someone’s work, and Security needs to own the problem. Of course, this means you also track these incidents and bubble the results upstream.
It’s time to accept false positives as a fact of life in cyber-security and plan accordingly. The only other alternative is to turn our defenses off, which is even worse.