Security teams sometimes dial down WAFs, which achieves fewer false positives but compromises security

Indulging false positives sacrifices security

No one likes hearing an alarm going off – whether it’s a fire alarm, a break-in alarm or some other emergency, it’s a nerve wracking experience, especially if you think the alarm is signaling a real threat. If you’re assured the threat isn’t real, you breathe a sigh of relief. But if you had to experience this kind of fake drill every day, or multiple times a day, it would quickly become exhausting. It would also waste a tremendous amount of time and overrun other priorities.

This wasteful cycle is happening in security operation centers across the country, sapping tremendous resources from staff as they respond to false alerts every day. These cycles waste time and energy, and hurt the business, operations and security. Security is compromised because the more time squandered chasing false threats, the less time is spent tracking legitimate threats.

Blocking versus Monitoring in WAF settings increases false positives

WAFs require considerable management and fine-tuning so companies who use web application firewalls (WAFs) typically also need an accompanying qualified staff to manage them. When deployed, WAFs have an option to Monitor and an option to Block. Monitoring shows the attacks a WAF would block. Blocking mode identifies possible threats but it’s known to be inaccurate, causing a large number of false positives. The number of alerts generated every day can be in the thousands, with hundreds of those being false alarms. Chasing these down everyday can preoccupy the staff to the point that they miss legitimate threats.

SOC statistics in dealing with false positives

The statistics below from Advanced Threat Analytics* show polling results from 50 security operation centers (SOCs) on their experience with false positives.

Quantity of daily false positives

45% investigate 10 or more alerts/day

22% investigate 10-20 alerts/day

11% investigate 20-40 alerts/day

11% investigate 50 or more alerts/day

Percentage of false positives experienced

–44%: experience 50% or higher false positives

          –22% experience 50-75% false positives

          –22% experience 75-99% false positives

Time spent managing false positives

64% spend 10 minutes or more investigating each alert

            33% spend 10-20 minutes investigating each alert

20% spend between 20-30 minutes investigating each alert

11% spend between 30 minutes investigating each alert


Reduced security means more data breaches

The strain of dealing with these false alarms takes a toll on staff. SOCs were asked in the poll what they do if they have too many alerts for their analysts to handle. They responded that they tune down their alert thresholds (67%), ignore certain categories of alerts (38%), turn off certain alert features (27%), or hire more analysts (24%).

This means to cope, analysts often have to make the undesirable choice between dialing down the sensitivity of their security levels or not responding to the alerts. They simply can’t devote multiple hours a day chasing what often turn out to be false alarms. But the great risk is that in the midst of the benign noise, real threats can get through undetected and unstopped. Another alternative is devoting more resources or hiring more staff to bail out overwhelmed employees. None of these options is an efficient or effective use of resources. (See Prediction Series #7: If organizations are to increase their focus on application security, they must move beyond RASPs.)

As SOC teams manage the rising tied of false alerts, we predict security analysts will continue to lower their security levels as they grapple with the alarm overload, resulting in an increase in cyber breaches and data compromises.