I think I can safely assume that everyone knows the cautionary tale of the boy who cried wolf. If you don’t, the moral is the more you say something is wrong when nothing is wrong, the more likely it is no one will believe you when something actually is wrong. In the network security world, no one wants a security solution that cries wolf. Hidden within dozens of false positives, there could be one issue lurking, waiting to cause a lot of trouble on your network.
The security solution that cried wolf
It can happen to anyone. All is quiet in the NOC and suddenly, you have several emails and alerts going off saying there’s a security issue that needs to be addressed. You scramble over to your monitoring tools, hastily log in, go to view the alarms and… it’s all false positives. One or two instances of false positives are not a huge deal but after enough alerts, it becomes a nuisance and can lead you to ignore alerts altogether. You can read more about false positives and types of alerts by following this link to OWASP.
Five ways to verify security risks and avoid false positives
What I’m about to list will mostly pertain to Plixer Scrutinizer, but I’m sure they can be applied to other solutions as well.
1. What’s triggering the alarm?
If there’s one alarm showing up frequently, look at what’s causing the alarm to trigger. For example, one of Plixer Scrutinizer’s built-in alarms is Top Network Transports. This analyzes your traffic for protocols that have not been allowed on your network. I see this one blowing up the Alarms tab often because some networks use unique protocols for internal traffic. Chances are, if you choose to investigate an alarm with many hits, you’ll see the same IP or protocol triggering the alert over and over.
First, you’ll want to allow the IP or protocol telling your security solution not to alert on it any longer. Next, clean up the alarms referring to what you have just allowed. Lastly, wait and see if the alert comes back. You’ll either see that you have another IP or protocol that needs to be allowed or you’ll find an actual issue.
2. Investigate the traffic
It’s nice to know that something has happened, but without the details, who knows if this is an actual issue or not? Find your violator in the alarms and then search for it within your saved flow data. Since flow data contains a lot of context-rich information, you should be able to find this data with no problem.
In Plixer Scrutinizer, select the alarm you wish to investigate, find the violator address, and then select the magnifying glass icon next to the logout button in the upper right-hand corner of the screen. This will bring you to the saved flows search. You can narrow the search down to specific exporters or all exporters, as well as specific time frames. Once you determine if this is a real issue or not, you can go through what I outlined in the previous to allow specific IPs or protocols if it seems to be normal network behavior.
3. Focus on edge devices
Typically, when we help customers set up their flow analytics in Plixer Scrutinizer, we suggest focusing primarily on edge devices. Edge devices are where you’ll see issues arise first if they come from the outside. By focusing on edge devices only, you can limit how many alarms you generate, therefore limiting the chance of a false positive. What about issues that come from the inside? You’ll see that too, as inside issues such as trojans start to phone home from the inside or attempt to funnel data out.
4. Keep an eye on your bandwidth
When it comes to alerts like DDoS and P2P (peer-to-peer) connections, you’ll typically see a large spike in network traffic. If you’re unsure about that DDoS alarm, you can look at the volume of traffic and see if there is a significant spike of abnormal traffic. You’ll want to see if there is anything unusual lurking within the data itself. With DDoS in particular, you’ll see many small conversations of a similar size, not just one or two large conversations.
5. Give our Plixer Security Intelligence solution a try
Now, even on the slowest of days, no one has time to sit and stare at a screen and scan through alarms all day. Plixer Security Intelligence can help take that task off your plate! Using machine learning, the platform will analyze your network traffic, learn its environment quickly, and alert you when something out of the ordinary pops up. You can follow this link here to learn more.
To quickly sum everything up, a little bit of analysis goes a long way when it comes to alarm cleanup and ensuring normal network traffic doesn’t start hiding your legitimate issues. If you and your team are struggling to figure out which events are false positives and which are a legitimate issue, download Scrutinizer and give our new Plixer Security Intelligence solution a test drive.