Technology Record - Issue 28: Spring 2023

72 VIEWPOINT Effective detection and response technologies within security operations centres will be transformational for organisations battling with increasingly sophisticated cyber threats CARSTEN WILLEMS: VMRAY The danger of false positives One critical enterprise security technology to emerge in recent years is endpoint detection and response (EDR). EDR and extended detection and response (XDR) solutions such as Microsoft Defender for Endpoint collect and analyse information from endpoints related to security threats, detect security breaches as they happen, and enable a much faster response. However, despite their great potential, EDR and XDR can also generate a large number of low priority and false positive alerts – which stifles their overall effectiveness. Security systems can trigger false positive alerts that look like real threats but are in fact not a cause for concern – they have been triggered by misconfigured systems, unexpected application behaviour or anomalous user activity. Malware- and phishing-related EDR false positive alerts are extremely detrimental to a security operations centre’s (SOC) effectiveness, as they create extra work and distract security teams from focusing on actual threats. Every SOC team is obligated to investigate every alert as if it were a real threat, only to realise after hours of frustrating investigation that they were chasing a ghost. No matter if you care about simple (yet dangerous because unknown) ransomware or phishing, or if your attacker profile includes advanced persistent threats, you need a wellequipped, effective and efficient SOC. The biggest SOC challenge today is having enough skilled resources available to identify and mitigate real threats that bypass their security controls, while not being distracted by these time-consuming false positive alerts. When security controls become more effective at blocking attacks, malware writers counter by developing more sophisticated and evasive techniques to bypass them. This cat and mouse game could be seen as a never-ending cycle. Currently, the only way to identify previously unknown malware and phishing threats – prior to a detection signature being released by the community or a security vendor – is to manually triage or detonate and analyse them in a safe, monitored sandbox environment. Once detonated, the monitored actions and behaviours – known as indicators of compromise – can be used by detection engineering teams to mitigate current and future attacks. By integrating a solution for automated malware and phishing analysis and triage into the SOC technology stack, existing EDR and XDR solutions can pass suspicious files and URLs to determine whether they are malicious or benign within minutes. If the result is benign, an automated rule can be created to blacklist the alert as a false positive, so as not to be alerted again. With a malicious result, the infected “Security systems can trigger false positive alerts that look like real threats”