Don’t Accept More False Positives in a Trade for Better Endpoint Security


Cybersecurity professionals accept that some unpleasant aspects of their jobs are inevitable. For example, attackers don’t take days (or nights) off; end users will make a stink whenever a security scan slows their devices or interrupts their workflows for even just a few minutes; and adding more layers to the security stack increases the number of false positives. There really isn’t anything that can be done to change adversaries’ behavior or users’ high expectations. But no one should have to accept that more protection always equals more false positives.

False positives occur when one of your security solutions raises an alert about an issue (e.g., malware, anomalous behavior) that doesn’t actually exist. It’s like when a dog trips a home’s burglar alarm sensors. The alarm system detects suspicious activity, but can’t confirm that Fido isn’t a threat, so the siren goes off.

Source: Nyotron webinar “Should More Protection Really Equal More False Positives?”

Considering all the challenges you face every day, reducing false positives may not rank very high on your priority list. But it should.

One false positive is not a big deal. On a cumulative basis, however, they cause alert fatigue and divert the security team’s already limited resources away from real issues. This doesn’t just waste time and money, it leaves the organization more vulnerable to a real attack.

Perhaps the most famous example is the 2013 Target breach that resulted in the theft of the private data of about 70 million customers. As CSO’s Ryan Francis discovered, the company’s security monitoring software did alert staff in Bangalore, India that the attack was underway, who in turn notified Target staffers in Minneapolis. But no one took action because these alerts were included with many other alerts, most of them likely false.

The typical recommendation from security vendors is to find a balanced approach between detection and alerting and actually preventing the activity deemed malicious. It’s up to an organization to strike their balance, but the choice is a Catch-22: either be swamped by alerts, or let malware slip through unnoticed.

How can you break the correlation between security and the rate of false positives? By using OS-Centric Positive Security through Indicators of Integrity (IOIs) that provide consistent evidence (e.g., a sequence of system calls) that precede a legitimate activity (e.g., file deletion). Instead of trying to identify and prevent the infinite amount of “badness” that’s out there, you focus on the much more finite amount of legitimate (i.e., “good”) system activities to improve protection and eliminate false positives.

At Nyotron, we use IOI to describe the OS behavior. Every single person uses an Operating System – it’s universal to all users. Because its core functionality rarely changes, the actual good behavior of the OS is limited and easy to monitor, especially in the way it works with the file system and networking. The more precisely you can describe a specific behavior, the higher level of security you can achieve while simultaneously reducing the rate of false positives.

For a deeper dive into the problems false positives (FP) cause, and about the approach that will not force you to choose between better security and lower level of FPs, head over to our webinar archive and check out the presentation our CTO Nir Gaist led entitled “Should More Protection Really Equal More False Positives?”

Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.