Reducing Investigation Time: How to Quickly Parse True Positives

In the world of security operations, quickly and accurately investigating security incidents is paramount. As a result, filtering out the non-consequential incidents from the consequential incidents helps reduce the investigative time for the security ops team.

Non-malicious True Positives pose the most headaches for SOC teams because they waste valuable time that could have been better spent investigating a malicious True Positive or even worse: a False Negative. However, it’s a highly manual process to parse non-malicious True Positives from the malicious. The process demands a significant amount of time, resources, and expertise from an already busy, overworked Security Ops team whose time is better used for consequential, high-impact tasks and projects.

The good news is that there are easier ways of managing this process, and we’ll get to those solutions shortly. But first, let’s align on the essential definition of a True Positive, how it differs from other events, and why it is sometimes challenging to differentiate them from each other.

What is a True Positive?

Simply put, a True Positive is an event, either malicious or non-malicious, that is correctly identified. Often, a True Positive occurs when a non-malicious activity is classified as malicious—like when an antivirus program identifies a file as infected and blocks access because of a specific capability within it that may (or may not) be dangerous to the end user.

Even if the file was safe to open and the antivirus program did misclassify it, the alert it raised to the end user is valid — and usually appreciated. Most people would rather know about a potential security threat than have it fly under the radar.

Essentially, these events can be safe and they can be dangerous. Because of this inherent grey area, True Positives often require close examination by someone who has full context and awareness of the circumstances. It’s never good practice for a Security Ops team to ignore them outright.

And yet, they do — alarmingly often, and for a variety of different reasons. We’ll get to those in a bit, but for now, let’s shift our focus to events that are more clearly classified.

What about clearly non-malicious events?

These are known as either False Positives or True Negatives.

  • A False Positive is an event that is incorrectly identified. A False Positive would occur if the antivirus program blocked the end user from accessing a completely safe, innocent item — like an executable file commonly used to help software run directly, without the need for an installation process.
  • A True Negative is an event that is correctly rejected. Continuing with our example, this occurs every time the antivirus program encounters a non-malicious file and successfully classifies it as safe.

And what about the obviously dangerous, malicious events?

The most dangerous event is a False Negative. This is an event that is incorrectly rejected —like when a risky file or suspicious behavior isn’t recognized as such. If an antivirus program encounters a folder containing a virus and does not flag this for the end user, things can quickly go south.

Because of their clear and evident danger, False Negatives are often the main focus of Security Ops teams. But they can distract from another dangerous event: the malicious True Positive.

Why are malicious True Positives overlooked?

The short answer: they’re somewhat opaque and mysterious, and they require close scrutiny and consideration from the Security Ops team. To demonstrate, let’s move on from the antivirus program and take a new example.

Mellany, an accountant from the finance department at an automobile factory, opens a file service that she has access to, but that she’s never used before. The factory’s Security Ops team is notified that her access may be a threat.

Now, the team has to question this True Positive with a series of questions:

  • Is this access anomalous? Yes, because Mellany is accessing it for the first time. And even though she technically has access rights, they could have been provided by mistake.
  • Is her access risky or dangerous? Probably not—she’s an employee from the finance department. 
  • Is this activity interesting? That depends entirely on the context, which should still be considered.

According to research based on real Preempt customer data, incidents like this happen, on average, 2-6 times per day in a network of ~1000 users. Scale this frequency to the enterprise level, and you’ve got an incredible workload to be shouldered by your Security Ops team — not to mention a lot of overhead to manage! 

So, is it any wonder why more than half of security professionals ignore important alerts? Or why more than half of security professionals cannot identify the critical alerts from the non-critical ones?

It’s clear that True Positives need to be analyzed closely, but having your team do it manually, case by case, just isn’t scalable. Fortunately, there are ways to focus only on the malicious True Positives and stop investigating the non-malicious ones.

Options for efficiently investigating True Positives

There are several ways to stop investigating every last True Positive without making any compromise on security:

  • Build or contract a dedicated team. In an ideal world, you would have the resources to hire dedicated staff tasked with investigating, acknowledging, logging, and resolving every True Positive.
  • Use the power of the masses. Empower end users to verify their identity, allowing them to self-approve their access. Though this approach frees the security team to investigate only the incidents they deem high-risk, it does open up the system to rogue insiders.
  • Find a system that gets smarter as you use it. Build (or buy) an intelligent system that analyzes user behavior and takes into account multiple contextual factors and risks, so as to prevent non-malicious True Positives.

For most organizations, the third option is the best bet. A solution like Preempt engages end users in the process of identity verification and threat detection. Their input feeds back into the system, helping it to become smarter, more accurate, and better able to differentiate between normal and suspicious user behavior.

To learn more about how analyzing user behavior can help streamline the workflow of your Security Ops team and reduce overhead, please contact us at [email protected].

Webinar_ How We Bypassed All NTLM Relay Mitigations — And How To Ensure You’re Protected-2

*** This is a Security Bloggers Network syndicated blog from Preempt Blog authored by Eran Cohen. Read the original post at: