Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - CSAM: False Positives, and Managing the Devils InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CSAM: False Positives, and Managing the Devils

Published: 2014-10-27
Last Updated: 2014-10-27 00:19:23 UTC
by Tony Carothers (Version: 1)
1 comment(s)

Continuing our theme of False Positives this month, I’d like to talk about the process of managing false positives we encounter in the course of analysis.  False positives will almost always show at some point during a security analysis, which leads to unwanted additional work on the part of either the sysadmins, security teams, or both.  Even worse, continued false positives can lead to complacency during analysis, where things are ‘assumed’ false because they have been seen before, and allowed to pass as normal when indeed it would be a symptom of malicious behavior.

 

Managing false positives in our testing and analysis is part of the overall security process, which can be used to identify and eliminate false positives.  Pieces of the process which are key to the lifecycle management are:

-Configuration Management (we need to know what we have on our hosts, and what it should be doing)

-Ports, Protocols, and Services baseline (need to know what we have on the wire, and where it’s going)

-Continuous Monitoring (Either monitoring the wire, or the host; this will tell us when a condition occurs which requires our attention)

 

An ideal scenario in an operating environment may run something like this: “A Continuous Monitoring program alerts that a vulnerability exists on a host.  A review of the configuration of the host shows that the vulnerability does not exist, and a verification can be made from the traffic logs which reveal that no traffic associated with the vulnerability has transited the wire.  The Continuous Monitoring application should be updated to reflect that the specific vulnerability reported on that specific host is a false positive, and should be flagged accordingly in future monitoring.  The network monitoring would *not* be updated, because it did not flag a false positive, leaving the defense-in-depth approach in tact.”

 

Now, this is *ideal*, and a very high level, but it hopefully gives some ideas on how false positives could be managed within the enterprise, and the processes that contribute.  We would really like to hear how false positives are managed in other enterprise environments, so let us know. :)

tony d0t carothers --gmail

Keywords:
1 comment(s)
Diary Archives