This is why
All of the logs and SIEM events that "should" be checked never do.
Just one per cent of all Indicator of Attack (IOA) warnings are actually caused by network attacks. This according to security giant Kaspersky, who analyzed (PDF) customer data over the first six months of 2019 and concluded that, 99 per cent of the time, alarms are being raised as the result of something other than a hacker …
There's been a 100% effective technical solution available for years; unfortunately, vested interests - including Republicans, lobbyists, the Jesuits and Google, not to mention those bastards in the British Dental Association - have conspired to prevent its adoption. Scandalous.
That is an AWESOME find - I'm going to forward that around as a pressing suggestion for us to adopt - and see how many people actually bother to read it before reacting to it (We have folks that skim a topic and then knee-jerk attack/argue, no matter the idea, just to show how "smart" they are). This will be fun. Thank you!
Interesting. In most fields, an overwhemingly high false positive rate usually suggests flawed detection methods. Yet somehow with Kaspersky that's not the case. Hmm.
Sure, they're saying it's because attackers are getting better at mimicking normal network activities. But one could also posit they're looking the wrong places.
"an overwhemingly high false positive rate usually suggests flawed detection methods."
No system is 100% effective.
You either set a low bar to minimise false positives (but could let some real attacks through), or you set a high bar, make (almost completely) sure that real attacks will be caught, and you deal with the false positives.
So security admins can either avoid dealing with a few (or even a lot of) false positives, or they can avoid having to deal with a system breach, potential loss of customer / business data, system disruption, analysis, rebuild / upgrade requirements....
Is it worth the potential risk???
You could report every single network packet that crosses the gateway as an intrusion attempt. That would ensure that all intrusion attempts are reported, but it would be completely useless as a detection mechanism.
Or, as we are in the business of annoying Jacob Rees Mogg, you would be pleased to learn that I have ascertained that it is unacceptable.
As if a company would ever publish a report that would admit their product is prone to false positives. Quite the contrary. Instead, they publish a report that makes it sound as if this is the norm for all products, and somehow they will be the one to solve the problem with their product.
Oh, and woe to the company that thinks the product will do all the work with no oversight from properly trained analysts. I really don't think we've reached a tipping point where human oversight no longer matters, and anyone who thinks we have will be the low-hanging fruit.
The alternative is that Kaspersky and other vendors could, you know, just produce better software that doesn't deluge admins with false positives
I couldn't agree more! We use Kaspersky on our network and the number of false "positives" is infuriating. It's a real cry wolf scenario.
We use it also, and have about one per month for the last couple years, of course we take the time to manage KL with proper white list, restrictions (gad there are so many settings) alerts and what not. We are at the point now that we know "every" piece of software on the systems, all ports not used are locked down, IP restrictions in place. The closest to regular false positives we get now are internal pen test tripping KL - which is good. I know its working.
This is way off topic but it's maybe relevant to helpdesk staff training.
I had accidentally unprotected sex with an New Jersey girl I'd met in Castro Market whose previous lover was a bisexual at the height of the AIDs crisis. Naturally I had a test when I returned home, and my doctor said they'd phone me with the results within 12 weeks. I'm sure 12 weeks flies by when you are in love, but it is an eternity with that threat hanging over you.
14 weeks later I phoned them, a bit on edge by then, and the receptionist said, "Oh, your results are in but you have to speak to the doctor."
I explained calmly - in my own memory at least I was trying to speak calmly - that I needed to know the results there and then, and she should just tell me over the phone.
She hesitated, then said in a reassuring tone, "Your results are positive."
"Positive good or positive bad?"
"Oh, I'm not sure, you'll have to speak to the doctor. I can get you an appointment in two weeks."