Eliminating false positives & securing the supply chain with automation

Security teams are being inundated with responsibilities as the cyber threat landscape continues to expand and evolve, straining resources, creating a need for complex security stacks, and making prioritisation and responding to legitimate threats a growing crisis.

Complex IT environments require a range of security tools to ensure adequate coverage. Each solution uncovers hundreds of potential security risks which take the form of an alert that is sent to security teams to analyse. Having to deal with these incoming alerts is a huge component of the security team’s focus, however, it has been found that many of these alerts are indeed false positives. In fact, it is reported that over 25% of cyber security alerts are false positives and pose no risk to the business or environments.

The sheer number of false positives received directs attention away from the actual risks. Security teams are spending more time being reactive to supposed threats when they should be spending their critical time being proactive and protecting critical environments. When considering a company’s supply chain, there could be thousands of weak points kicking up false positive alerts, especially when more and more companies are performing mass migration to the cloud.


Issues caused by false positives

Every single false positive generated detracts from the genuine threats and vulnerabilities. In our recent survey, 69% of respondents agreed that low staff morale is a result from alert fatigue due to the

overwhelming volume of false positives, yet organisations now accept this as the norm.

Teams can receive over 75,000 alerts in one day from security solutions across the supply chain. This overwhelming number of alerts tends to lead to alert fatigue – security teams have to sift through so many alerts that they begin missing critical alerts, or worse, start to simply ignore them. While distracted by false alarms, teams could easily miss a phishing attempt, potential ransomware attack, or other threat indicators showing that threats are working their way into the company’s system unnoticed. By the time the team takes notice of the threat, it would already be too late. In fact, 62 percent of respondents agree that threats in their organisation could get missed due to the sheer quantity of false positives.

The impact of even a single missed threat can be catastrophic, as shown by recent attacks such as that on the Colonial Pipeline. One out-dated VPN account in the supply chain that slipped under the radar led to one of the worst cyber attacks so far this year. If security teams are spending critical time sifting through the never-ending list of alerts to analyse, it’s understandable how a real threat can go undetected. Give a cyber criminal even a slight opening, they are going to take it, and organisations will pay the price.


What’s the next step?

It’s very easy in times of stress and urgency to play the blame game, regarding whose fault it is that adversaries are getting through the perimeters. Whether it be tools lacking capabilities, vulnerabilities remaining unpatched, or over-worked or under-trained staff, organisations cannot afford to be complacent when it comes to strengthening their overall security posture.

The first step typically taken by businesses, is to find the next shiny solution or technology to overcome the current challenges. However, past events have proven this to be easier said than done. There have been a number of examples, including Cylance’s fraud controversy, where businesses have promised to achieve certain outcomes, but failed. Understandably, these missteps have damaged the trust of the market, and this must be rebuilt.

Businesses taking this next step to secure their supply chain will be relying on their vendors to deliver the necessary information about how to best achieve this. A growing trend is the move towards automation. According to 86 percent of survey respondents, the tools driven by data science like Artificial Intelligence (AI), Machine Learning (ML) and Deep Learning (DL), will all make a significant impact in preventing unknown threats and reducing false positives.


The role of automation

Automated solutions are able to analyse alerts to determine their threat level before they even reach the security team’s inbox. While some may be low-level threats, these can often be resolved without the need of human interaction.

Security teams are currently running lean and fast, consistently being reactive and chasing threats rather than proactive and being one step ahead. Automated technology is naturally more resource efficient, meaning organisations could wave goodbye to the wasted hours being spent sifting through alerts to differentiate the false from the genuine.

Machine Learning has been used by companies for years as part of the automation process, feeding the technology data when new attacks arise. However, attacks have since found a way of manipulating ML and thereby circumventing the defences. Deep Learning, as an advanced subset of ML, requires no human interaction and is designed to work by independently learning from large amounts of raw data, mimicking neurological networks like the human brain. The system itself learns to differentiate the malicious code from the benign. It does not use pre-classified data like ML. This autonomous operation allows security teams to focus on other critical areas of security within the supply chain, leaving the DL solution to predict unknown threats and protect the organisation.

Today, most businesses are still in a reactive approach to cybersecurity, but it’s time for greater proactivity. Security teams are not meant to be chasing after thousands of alerts – their priorities and time should be spent on fortifying the organisation’s critical infrastructure. Implementing automated solutions will give back time that is critical for teams to spend focusing on strengthening their entire supply chain. With cybercriminals’ methods and activities rapidly increasing in sophistication and skill, organisations’ security practices need to meet this evolving threat landscape.