Ever since networks got attacked the victims have thought of ways to detect and prevent attacks. Packet filters were the first idea. Closing a port meant to worry less about applications listening on them. So the trouble of protecting moved to the services that were still exposed. Filtering got more complex, protocols were inspected, signatures were introduced, intrusion detection systems were born. Great – but the attacks didn’t disappear. Instead you got alerts, a lot of them. Some were caused by real attacks, some were false alerts. Enter false positives.
Setting off false alarms is a tried and true military tactic. After a couple of false alarms the sentries will probably be less alert. Translated to information security this means that alerts (and log files) will be ignored after a couple of false alerts. You are lucky if you only have a couple. Modern computer systems are so powerful that they can even create millions of false alarms per second. That’s a problem, and it leads to network intrusion systems being decommissioned. Frustrating for security admins who possibly spent months or years to convince their management in order to procure the equipment. In turn you don’t get much support from IDS/IPS vendors, because all they will tell you is that their technology can work at wire speeds – despite the fact that your wires aren’t moving.
Gavin ‘jac0byterebel’ Ewan explores an alternative approach to deal with false positives. Since they create an measurable overhead and thus costs in terms of money, reducing them is a way of being more efficient and introducing quality assurance. In his talk at DeepSec 2013 he will show you how a business can drill costs down to the level of the individual false positive and present models which allow you to determine the ‘optimum level’ of false positives, carefully balancing the need to reduce false positives with the very real effect of having no true positives either!
Gavin’s talk is recommended for everyone who runs or uses a network. ☺