back to article If you have a security alert, I feel bad for you, son – you got 99 problems but a hack ain't one

Just one per cent of all Indicator of Attack (IOA) warnings are actually caused by network attacks. This according to security giant Kaspersky, who analyzed (PDF) customer data over the first six months of 2019 and concluded that, 99 per cent of the time, alarms are being raised as the result of something other than a hacker …

  1. Mayday Silver badge
    Holmes

    This is why

    All of the logs and SIEM events that "should" be checked never do.

  2. ThatOne Silver badge
    Devil

    Politicians have the solution

    Why don't they simply make a law forbidding access of any network without proper authorization? I mean this is supposed to work for government backdoors, why not for networks in general?...

    1. David 132 Silver badge
      Happy

      Re: Politicians have the solution

      There's been a 100% effective technical solution available for years; unfortunately, vested interests - including Republicans, lobbyists, the Jesuits and Google, not to mention those bastards in the British Dental Association - have conspired to prevent its adoption. Scandalous.

      RFC 3514 [ietf.org]

      1. prinz

        Re: Politicians have the solution

        That is an AWESOME find - I'm going to forward that around as a pressing suggestion for us to adopt - and see how many people actually bother to read it before reacting to it (We have folks that skim a topic and then knee-jerk attack/argue, no matter the idea, just to show how "smart" they are). This will be fun. Thank you!

    2. Psmo

      Re: Politicians have the solution

      It's in the Terms and Conditions, section 3 paragraph 64.

  3. Jimmy2Cows Silver badge
    Devil

    Ok...

    Interesting. In most fields, an overwhemingly high false positive rate usually suggests flawed detection methods. Yet somehow with Kaspersky that's not the case. Hmm.

    Sure, they're saying it's because attackers are getting better at mimicking normal network activities. But one could also posit they're looking the wrong places.

    1. jmch Silver badge

      Re: Ok...

      "an overwhemingly high false positive rate usually suggests flawed detection methods."

      No system is 100% effective.

      You either set a low bar to minimise false positives (but could let some real attacks through), or you set a high bar, make (almost completely) sure that real attacks will be caught, and you deal with the false positives.

      So security admins can either avoid dealing with a few (or even a lot of) false positives, or they can avoid having to deal with a system breach, potential loss of customer / business data, system disruption, analysis, rebuild / upgrade requirements....

      Is it worth the potential risk???

      1. tim 13

        Re: Ok...

        But if you are overwhelmed with false positives, you are likely to miss the real positives amidst them.

  4. StewartWhite

    My response to Kaspersky is "If your software generates so many false positives that you can't find the actual threats within normal behaviour then, to use a phrase that would annoy Jacob Rees-Mogg, it's not fit for purpose"

    1. katrinab Silver badge

      Quite

      You could report every single network packet that crosses the gateway as an intrusion attempt. That would ensure that all intrusion attempts are reported, but it would be completely useless as a detection mechanism.

      Or, as we are in the business of annoying Jacob Rees Mogg, you would be pleased to learn that I have ascertained that it is unacceptable.

    2. GnuTzu
      Holmes

      Yup.

      As if a company would ever publish a report that would admit their product is prone to false positives. Quite the contrary. Instead, they publish a report that makes it sound as if this is the norm for all products, and somehow they will be the one to solve the problem with their product.

      Oh, and woe to the company that thinks the product will do all the work with no oversight from properly trained analysts. I really don't think we've reached a tipping point where human oversight no longer matters, and anyone who thinks we have will be the low-hanging fruit.

  5. XSV1
    Thumb Down

    Wolf, wolf!

    The alternative is that Kaspersky and other vendors could, you know, just produce better software that doesn't deluge admins with false positives

    I couldn't agree more! We use Kaspersky on our network and the number of false "positives" is infuriating. It's a real cry wolf scenario.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wolf, wolf!

      We use it also, and have about one per month for the last couple years, of course we take the time to manage KL with proper white list, restrictions (gad there are so many settings) alerts and what not. We are at the point now that we know "every" piece of software on the systems, all ports not used are locked down, IP restrictions in place. The closest to regular false positives we get now are internal pen test tripping KL - which is good. I know its working.

  6. Danny 2 Silver badge

    Positive

    This is way off topic but it's maybe relevant to helpdesk staff training.

    I had accidentally unprotected sex with an New Jersey girl I'd met in Castro Market whose previous lover was a bisexual at the height of the AIDs crisis. Naturally I had a test when I returned home, and my doctor said they'd phone me with the results within 12 weeks. I'm sure 12 weeks flies by when you are in love, but it is an eternity with that threat hanging over you.

    14 weeks later I phoned them, a bit on edge by then, and the receptionist said, "Oh, your results are in but you have to speak to the doctor."

    I explained calmly - in my own memory at least I was trying to speak calmly - that I needed to know the results there and then, and she should just tell me over the phone.

    She hesitated, then said in a reassuring tone, "Your results are positive."

    "Positive good or positive bad?"

    "Oh, I'm not sure, you'll have to speak to the doctor. I can get you an appointment in two weeks."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like