By Isaac Basque-Rice, EDR Security Engineer at Adarma
In today’s complex cybersecurity environment, Endpoint Detection and Response (EDR) tools are critical in protecting organisations from malicious threats. However, it is essential to acknowledge that every EDR or security tool has imperfections.
Those of us who work in cybersecurity understand that no tool, process, methodology, or solution is free of issues. Among these issues, false positives are particularly impactful for Security Operations Centres (SOCs) and EDR capabilities.
False positives occur when EDR tools mistakenly flag legitimate and occasionally business-critical processes as malicious. This often happens due to behavioural indicators, such as:
- Making edits to the registry
- Injecting code into another process
- Registering itself to autorun on startup (a potential sign of persistence)
- Performing low-level tasks with network adapters
While potentially indicative of malicious behaviour, these activities can also be part of legitimate software operations. When EDR tools misinterpret these signals, they can take actions that disrupt normal business operations – the opposite of what we need them to do.
The consequences of false positives can be severe. For instance, if a legitimate corporate VPN agent on an endpoint is flagged due to suspicious network activity and the process is subsequently killed, internet access would likely be terminated to that host. If this issue was replicated across an estate, possibly due to a faulty agent update, the impact could be as significant as the recent global IT outage.
In late 2021, Microsoft Defender generated a series of false positives across its customer base. Supporting files for the Office365 suite were flagged as malicious, specifically related to print jobs and Azure sensitivity labels. This heightened sensitivity to the Emotet malware family was likely due to increased malicious activity from that group. As a result, organisations could not open any Microsoft Office products until a fix was provided.
Similarly, Malwarebytes faced a significant issue in late 2021 when its web filtering component flagged Google-related domains (including YouTube) as malicious and blocked access to those websites. Alongside the blocking came a barrage of malware notifications that triggered in tandem. Users had to turn off real-time protection to access the flagged domains until Malwarebytes rolled out a fix.
The hidden costs of false positives in EDR are multifaceted and can be broadly categorised into the following areas:
When false positives occur, they can halt critical business processes, leading to significant downtime. The example of a corporate VPN agent being flagged shows how network connectivity can be disrupted, impacting employee productivity and business operations.
Cybersecurity teams must investigate and remediate false positives. This diverts resources from other critical tasks, increasing workload and stress for SOC analysts. The time and effort spent addressing false positives could be better utilised in proactive threat hunting and improving security posture.
Operational disruptions and the need for additional resources inevitably lead to financial costs. Downtime can result in lost revenue, while the need to investigate and resolve false positives can lead to increased operational expenses.
Frequent false positives can erode trust in an organisation’s cybersecurity capabilities. Customers and partners may question the reliability of their security measures, potentially leading to reputational damage and loss of business opportunities.
It’s crucial to efficiently handle false positives to maintain optimal security operations and customer trust. Here are our recommendations for effectively managing false positives:
- Thoroughly Verify the Alert
Confirm the validity of any alerts by cross-referencing them with other security logs and threat intelligence. An alert should be documented and classified accordingly if it is deemed a false positive.
- Examine Detection Rules and Context
Review the context and settings that led to the false positive. This includes analysing detection rules, tool configurations, and network traffic patterns. Understanding the root cause helps refine systems and reduce the likelihood of similar false positives in the future.
- Adjust and Optimise Detection Parameters
Update your detection rules and thresholds to minimise false positives. This may involve updating signatures, modifying sensitivity levels, or refining anomaly detection settings to match the organisation’s specific environment better.
- Document and Report Findings
It is essential to keep detailed records of false positives, including the nature of the alert, the investigation process, and the resolution. Proper documentation aids in reporting and serves as a reference for improving security measures.
- Communicate with Stakeholders
Inform relevant stakeholders about false positives and their potential impact. Transparent communication helps manage expectations and maintains trust within the organisation.
Use false positive incidents as opportunities to review and enhance incident response processes. Regular software updates and training should be implemented to handle similar situations better and improve overall security operations.
With our 24/7 managed SOC facilities and managed EDR service and in collaboration with our elite technology partners, Adarma’s expert team of SOC analysts and threat specialists can take a proactive approach to mitigate against false positives and relieve your security team from chasing false positives. If an alert is determined to be malicious, depending on the severity and level of business criticality, Adarma’s EDR team will collaborate with the impacted customer to remediate the issue as quickly as possible.
Acting as an extension of your team, our goal is to understand your business and security objectives to provide the right solutions that are tailored to your unique security requirements. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
