The Hidden Costs of False Positive Security Alerts

Jeff Hershberger
May 31, 2023

People in your organization who are working in security operations (SecOps) face security alerts on a daily basis. The problem is, the majority of those alerts are just false positives, which can potentially lead to some serious consequences. In this post, we’ll explain what false positive alerts are, the consequences of having them, and what you can do to address them. 

What is a false positive alert?

A false positive alert is an alert that seems to indicate a potential threat when there’s actually none. Let me give you an example. 

Let’s say you configured your intrusion detection system (IDS) to detect certain network traffic patterns associated with a known malware and then to send out an alert when a detection occurs. Basically, you’ll get an alert every time your IDS detects that network pattern. That’s all well and good except if the IDS detects the network traffic pattern in question but it’s actually coming from a legitimate business-related network activity.

This kind of occurrence happens more often than you think. In fact, 40% of respondents in the State of Threat Hunting report said that too much time wasted on false positive alerts is one of the top challenges faced in security operations centers (SOCs).

But why is that? Why do security analysts consider false positive alerts a major challenge?

Wasted resources

Processing alerts can be a very labor-intensive exercise. Unfortunately, manpower isn’t exactly an abundant resource in most SOCs. In fact, in the SANS 2022 SOC Survey, high staffing requirements was identified by respondents as the greatest challenge in fully utilizing their organization’s SOC.

Every time a security analyst receives an alert, the analyst is supposed to:

  1. Triage that alert along with other alerts to determine priority;
  2. Gather additional context related to the alert;
  3. Conduct an investigation;
  4. Determine if the alert is legit and not just a false positive; and
  5. If it’s legit, perform incident response

Notice that the analyst will have to go through three steps before he/she can determine whether the alert is legit or not. The analyst will have to do this for almost every single alert. That’s probably ok if you only get a handful of alerts per day. But many SOC analysts receive hundreds if not thousands of alerts per day.

That’s going to cost a great deal of time and resources (we’ll go into specific numbers later). The process of gathering additional data for context, for instance, may entail going over logs from multiple systems. The investigation process may also involve reviewing indicators of compromise (IOC) and other relevant information. All this can take a few minutes to several hours.

So, at the end of all that, if the alert just turns out to be a false positive, you would have wasted a substantial amount of precious resources. 

Missed threats

When your analysts spend too much time on false positive alerts, legitimate threats will be able to slip through unimpeded until someone is able to act on them. Of course, if your security analysts keep getting inundated with false positive alerts, some of those legitimate threats will never be attended to—and that could lead to a data breach or an entire network locked up by ransomware.

In the aftermath of the high-profile Target data breach of 2013, investigators discovered that the retail company’s security solution actually sent out multiple automated alerts warning of a potential intrusion, but those alerts were missed. 

The result? One of the biggest data breaches in history. The Target data breach compromised personal and payment card data of about 40 million customers. Many of those customers fell victim to identity theft. As for Target, the data breach cost them over $200 million, which included costs for forensic investigations, security enhancements, legal settlements, and customer credit monitoring activities, among others. 

Alert fatigue

The growing complexity in the cyber threat landscape has given rise to an increasing number of security solutions. Today, many organizations now manage up to 76 security tools, with many of these tools generating numerous alerts. Worse, the number of alerts just keeps on growing.

In last year’s State of Threat Detection and Response report, 48% of respondents said they were seeing a 3x increase in the number of alerts per day. As the volume of alerts increases, security analysts tend to become desensitized and less attentive to alerts—a condition called alert fatigue. But what if some of those alerts were actually triggered by a critical cyber incident? Sadly, those incidents won’t be caught.

Some analysts who are overwhelmed by the deluge of alerts even resort to tuning down rules on their security solutions just to bring down their alert volume. This can have dire consequences if that rule also happens to be catching legitimate threats.

Staff turnovers

The moment alert fatigue sets in, security analysts become frustrated, exhausted, and susceptible to burnout. Their morale decreases and the drive to continue doing the same exhausting activities every single day diminishes. Once that happens, those analysts may decide to leave.

Most respondents (more than 35%) in the SANS 2022 SOC Survey declared that the average employment duration for an employee in their respective SOC environments was only 1-3 years. Considering the perennial cybersecurity skills gap, it won’t be easy filling those vacated positions. 

Increased cost

The deluge of false positive alerts can lead to increased costs. As mentioned earlier, the activities related to alert processing are quite labor-intensive. According to the US Bureau of Labor Statistics, the latest national estimates for information security analysts’ mean hourly wage is $57.63. Depending on the industry and state, that number could go up to almost $80 per hour.

Spending approximately $60/hr to $80/hr per information security staff, who then go on a wild goose chase every day, can be very expensive. Plus, in order to deal with the mounting deluge of alerts, you may be forced to hire additional security staff.

Worse, if that wild goose chase amounts to missing legitimate alerts, you could end up spending even more. As revealed in the 2022 Cost of Data Breach Report, attack vectors with longer mean times to identify and contain are also among the most expensive types of data breaches. Based on the same report, the average data breach costs of initial attack vectors with the longest (top 3) average time to identify and contain all exceeded $4.4 million. 

Eliminate threats without generating alerts

Considering the substantial costs and consequences of false positive alerts, is it really worth deploying solutions that generate a ton of alerts? It probably is if you have no other choice. But you do.

Intrusion’s security solutions, which leverage artificial intelligence (AI) and a Global Threat Engine that combines reputation, behavior, and historical data to detect various cyber threats, automatically neutralizes those threats without generating any alerts. This can significantly reduce your security team’s workload and allow team members to focus more on strategic initiatives for strengthening your organization’s cyber defenses.

That being said, while Intrusion doesn’t send out alerts, this doesn’t mean you have no way of knowing what’s happening on the threat detection/threat prevention front. On the contrary, Intrusion provides a lot of insightful information on that front.

With Intrusion, you’ll be able to view:

  • All inbound and outbound blocks
  • Countries you’re business is communicating with the most
  • Top offending devices
  • Top high-risk categories (e.g., poor reputations, suspicious domains, malicious domains, etc.)
  • Traffic killed by country, 
  • And many others

Learn more about Intrusion and how it can eliminate threats without inundating you with alerts. Just click the chat button at the lower-right corner of your screen.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.