The Danger of False Positives
Many of us have shopped in a corporate brick-and-mortar store and accidentally triggered the EAS (Electronic Article Surveillance) alarms as we’ve walked through the exit. Sometimes, a cashier forgets to deactivate all of the electro-magnetic or acousto-magnetic tags from our purchased merchandise. Other times, electronic interference from nearby devices trigger the alarms. Sometimes retail staff will insist on checking the items on your person if an alarm is triggered. But retail EAS alarms often go off so frequently when no actual shoplifting is taking place that employees will sometimes ignore the alarms altogether.
So what’s the point of a retail store using such an EAS system in the first place? Perhaps having one will lower a store’s loss prevention insurance premiums. But retailer loss prevention insurance won’t continue to recognize EAS systems as a deterrent if this sort of phenomenon continues.
Alert Data Overload
As far as network security is concerned, a few false positives in your logs is no big deal. Proper log analysis of network devices (such as firewalls) and endpoints (client and server machines) alike requires the human element. Log analysis software handles most of the tedium, but a human network admin or sysadmin still has to examine alerts to determine if a breach or attack has actually happened, or if a vulnerability actually exists. If false positives constitute only a small percentage of overall alerts, then an admin’s workload should be manageable, and they’ll take all alerts seriously.
But a study released by Prelert in April 2015 suggests that an excess of false positives is hurting cybersecurity. In the study of over 200 IT professionals, 62% of respondents say that they deal with an excess of alerts and false positives and they’re overwhelmed.
And What About End Users?
End users are the vital component in endpoint security. Most end users lack the knowledge of an IT professional or a computer scientist. But they and their actions are the last line of defense in matters such as client-side malware propagation.
If a client’s antivirus software alerts a user that a clean file or application is malicious too often, the user is more likely to ignore those AV alerts when a file or application is actually malicious. They may even deactive their AV shield, especially in a consumer scenario. Both signatures and heurisitics can generate false positive malware alerts.
End users also deal with false positives from home router firewall devices, web browser antiphishing features, and email filters.
Conclusion
More research and development must be done to tweak algorithms, signatures, and heuristics to lower the occurrence of security system false positives while maintaining sensitivity to legitimate threats. That’s absolutely not a simple order. But nothing worthwhile is easy.
Hopefully, antivirus software developers, network security device OEMs, and endpoint solution developers alike will be mindful of the growing false positive problem in information security. Also, we mustn’t forget end user education for both consumers and professionals. End users must be properly educated to understand the security alerts that they see so that they can take proper measures without needing the knowledge of an information security professional.
