It's hard enough to keep your company's networks secure without the possibility of false positive security alerts from security systems such as IPS, IDS, firewalls and antivirus systems. A high percentage of false positives means critical data can be misinterpreted, leading the team to look for malicious activity that doesn't exist. That, in turn, can leave them too busy to focus on real threats. What's more, false positives take too much time to sort through. The biggest cause of false positives is when security systems can't understand the business importance and vulnerabilities of all systems within the organization. To fight false positives, maintain up-to-date system and network configurations so that sensors property reflect the network's structure, behavior and preferences; train security personnel for first-pass analysis and escalation; track the ratio of false positives; regularly review sensor performance; correlate security events from different systems to highlight unusual events; focus on deviations from acceptable use policies; educate your users on security policies and acceptable network use; and consider a Security Information Event Management (SIEM) solution.
For more about reducing false positives:
- read the article [1] at IT-Observer
Links:
[1] http://www.it-observer.com/articles/1312/the_dirty_dozen__killing_false_positives/