False positives are distractions that occur in most forms of detection software. When it comes to open-source intelligence (OSINT) this problem is exponential.
In the context of OSINT, false positives occur when an alert is generated from a keyword or phrase being identified, but the context of the keyword is not the context intended. Given that open source data from the surface and Dark Web is written by people and not code, determining context can be a very tricky task that traditionally requires human analysis.
Due to the high volume of false positives, many security teams can suffer alert fatigue which can lead to less than ideal behavior. Analysts can begin to miss, ignore, or turn off alerts. Although this behavior is clearly understandable, it can lead to teams missing important indicators of genuine threats.
Negative impact on efficiency, morale & the bottom line
The cost to an organization due to false positives is much higher than you may initially imagine. Security teams are often short-staffed as qualified Security Analysts are in limited supply compared to the demand. According to (ISC)2, unfilled cybersecurity positions have reached 2.93 million globally. Those with OSINT investigative capabilities are even more scarce. Wasting the time of such staff to pursue false positives not only decreases the team’s overall efficiency, it negatively affects their morale.
Estimated average annual spend dealing with false positive cyber security alerts per enterprise
Estimated average annual # of hours dealing with false positive cyber security alerts per enterprise
Estimated average annual % of time dealing with false positive cyber security alerts per enterprise
Source: Poneman Institute
Beyond the negative impact on efficiency and morale, is the direct cost of valid threat alerts being missed due to alert fatigue or teams pursuing false positives. One missed alert indicating an insider threat, a threat to an executive, or sensitive data being sold in a Dark Web Market, could lead to a significant loss in revenue, brand damage, and even the safety of staff.
The highly-publicized Target breach of November 2013 exemplifies the cost of a missed threat due to alert fatigue. In this breach, the cost to the company was extremely high, with a loss of $252 million and the resignation of its CIO and CEO, and significant lost customer confidence. In this instance, one of the company’s security products correctly detected the breach. However, due to the high volume of alerts and the frequency of false alerts, the company’s IT security team ignored it. Target did not become aware of the breach until they were notified by the U.S. Department of Justice in December.
Add in Intentional False Positives
To add to the challenge, cybercriminals are getting proactive on the OSINT front. They know how to trigger detection systems and will seed open source intelligence databases with misleading information to purposefully create false positives. This allows them to disguise themselves as legitimate users with the hopes of being ignored as a false alert.
Tools & Techniques to Combat OSINT Alert Fatigue
Access Natural Language Processing
This is a form of machine learning that allows for the teaching of context to a data processing program. Its goal is to enable the rough creation of a human-like understanding of language. Software that incorporates Natural Language Processing will automatically weed out a lot of false positives and significantly cut down on the time and money spent on irrelevant OSINT alerts.
Implement Alert Prioritization
This step will let you focus on incoming alerts that you or your team have deemed a higher priority to your organization. Although prioritization doesn’t impact the volume of false positives, it will ensure your team’s time is spent on high impact threats, mitigating the potential damage of a missed alert.
Ensure the Correct People Are Alerted
Alert fatigue is all about volume. Minimize the volume of irrelevant alerts each team member receives by minimizing the number that is shared to all. Be thoughtful with who should receive each alert.
Centralize Alerts & Reduce Redundancy
Your alerts should be organized with like alerts and reviewed for redundancy. Although this step may take time, it could cut back on daily alert volumes significantly.
Media Sonar Reduces False Positives
Here at Media Sonar, we have spent the last two years refining our search capabilities to ensure that we have the least amount of false positives coming back to the user. Our platform includes:
- Natural Language Processing to significantly cut down on the volume of false positives and noise. NLP also increases efficiency by extracting entities of data and categorizes results in a logical way for the user (Author, Date Posted, Website)
- Prioritization of Threat Model rules
- Case Management (Team and private)
- Alert dashboard
- Team and private alerting
- Keyword highlighting in search results
- Broad data access across the social, surface and the Dark Web – all in one platform