The danger of false positives for security systems

The danger of false positives for security systems

iStock/VMRay 

Detection and response technologies will be transformational for organisations battling with increasingly sophisticated cyber threats, says VMRay’s Carsten Willems 

Guest contributor |


One critical enterprise security technology to emerge in recent years is endpoint detection and response (EDR). EDR and extended detection and response (XDR) solutions such as Microsoft Defender for Endpoint collect and analyse information from endpoints related to security threats, detect security breaches as they happen, and enable a much faster response. However, despite their great potential, EDR and XDR can also generate a large number of low priority and false positive alerts – which stifles their overall effectiveness. 

Security systems can trigger false positive alerts that look like real threats but are in fact not a cause for concern – they have been triggered by misconfigured systems, unexpected application behaviour or anomalous user activity. Malware- and phishing-related EDR false positive alerts are extremely detrimental to a security operations centre’s (SOC) effectiveness, as they create extra work and distract security teams from focusing on actual threats. Every SOC team is obligated to investigate every alert as if it were a real threat, only to realise after hours of frustrating investigation that they were chasing a ghost. 

No matter if you care about simple (yet dangerous because unknown) ransomware or phishing, or if your attacker profile includes advanced persistent threats, you need a well-equipped, effective and efficient SOC. The biggest SOC challenge today is having enough skilled resources available to identify and mitigate real threats that bypass their security controls, while not being distracted by these time-consuming false positive alerts. 

When security controls become more effective at blocking attacks, malware writers counter by developing more sophisticated and evasive techniques to bypass them. This cat and mouse game could be seen as a never-ending cycle. Currently, the only way to identify previously unknown malware and phishing threats – prior to a detection signature being released by the community or a security vendor – is to manually triage or detonate and analyse them in a safe, monitored sandbox environment. Once detonated, the monitored actions and behaviours – known as indicators of compromise – can be used by detection engineering teams to mitigate current and future attacks. 

By integrating a solution for automated malware and phishing analysis and triage into the SOC technology stack, existing EDR and XDR solutions can pass suspicious files and URLs to determine whether they are malicious or benign within minutes. If the result is benign, an automated rule can be created to blacklist the alert as a false positive, so as not to be alerted again. With a malicious result, the infected systems can be automatically quarantined off the network to reduce the risk of a malware outbreak, all without human interaction. 

Attacker dwell time is another consideration for an SOC, as is the amount of time that a threat remains undetected in an organisation’s environment can impact an SOC’s ability to detect and respond to threats before they can cause significant damage. Malware and phishing analysis platforms can significantly reduce dwell time by adding zero-day detection capabilities, allowing security teams to quickly investigate potential threats, as well as assist in threat hunting, detection engineering and threat intelligence gathering. 

For managed security service and detection and response providers, the use of a malware and phishing analysis platform offers numerous benefits, such as faster analysis time and the mitigation of potential skill gaps within security teams. Another benefit is the ability to free up experienced malware analysts and security practitioners, allowing them to focus their talent on the higher-value strategic tasks, rather than wasting time on the tactical aspects of EDR alert investigations. 

In conclusion, few commercial malware and phishing analysis tools on the market today can automate SOC processes in high-volume alert environments with the accuracy needed to confidently respond autonomously to potential threats. Even fewer are anti-evasion resistant to advanced malware and phishing threats. Investing in a malware and phishing threat analysis technology like VMRay’s means investing in an in-depth security approach.  

Carsten Willems is CEO of VMRay 

This article was originally published in the Spring 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription

Subscribe to the Technology Record newsletter


  • ©2024 Tudor Rose. All Rights Reserved. Technology Record is published by Tudor Rose with the support and guidance of Microsoft.