Once you set up alarm systems, you will have to deal with false alarms. This is true for your whole infrastructure, be it digital or otherwise. When it comes to intrusion detection systems (IDS) you will have to deal with false positives. Since you want to be notified of any anomalies, you cannot ignore alarms. Investigating false alarms creates costs and forces you to divert efforts from other tasks of your IT infrastructure. In turn attackers can use false positives against you, if they know how to trigger them and use them in heaps. Where do you draw the line?
In his presentation at DeepSec 2013 Gavin ‘Jac0byterebel’ Ewan (of Alba13 Research Labs) introduced an interesting approach to deal with false positives: „…Taking false positive figures from a number of real business entities ranging in size and business area (don’t worry, they’re anonymised), the aim of this talk is to arm my fellow hackers and testers with the knowledge and, more importantly, the language to put a case forward to the powers that hold the purse strings within our business and ask: ‘Can I have X amount of budget to mitigate our false positive problem that is costing Y?’“