You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

Hannah Young
Hannah Young
.
July 13, 2023
5 min
 read

While we’d all love to get to a place where “Why are security tools so necessary” is the top search result, security tools are undeniably noisy. Whether you’re calling it a problem with your signal-to-noise ratio or suffering from alert fatigue, a massive problem with modern security tools is the issue of false positives: detecting a harmless or beneficial activity as a threat. While technically less risky than a false negative (not detecting a malicious threat when it happens), false positives overburden security teams and add to their already heavy workflows, disrupt access needed to maintain employee productivity, and result in costs for your organization when they lead to the dismissal of a genuinely critical alert.

In the Orca Security 2022 Cloud Security Alert Fatigue Report, over half of the surveyed IT professionals spent more than 20% of their time deciding which alerts should be dealt with first. “The overload of alerts, combined with widespread inaccuracy (43% say more than 40% of their alerts are false positives), is not only contributing to turnover but also to missed critical alerts: more than half of respondents (55%) say their team missed critical alerts in the past, due to ineffective alert prioritization – often on a weekly and even daily basis.”

How do we mitigate false positives?

To illustrate one approach to addressing false positives, we’ll use the example of Crosswire’s ITDR (Identity Threat Detection and Response) tool. Through identity security context, like relying on related logs and profile attributes, we can enrich our threat detection rules and mitigate false positives.

For example, rules are aligned with the MITRE ATT&CK framework, a leading knowledge base of common tactics, techniques, and procedures used by cyber adversaries, ensuring that our system remains proactive and responsive (ex., Active Directory Credential Request, Web Credential Usage, Remote Service Session Hijacking, etc.).

Overview of the MITRE ATT&CK framework

To further enhance our detection capabilities, we leverage machine learning algorithms to filter out false positives and assist in the creation of detection rules. This allows us to simulate the “common sense” of a security analyst and supplement entry-level security analyst triaging.

Threats also change over time, and what was once an indicator of compromise quickly becomes innocuous (and vice versa). We are in the business of understanding the ever-changing security landscape and changing our alerts to fit that new landscape, acting as a trusted security advisor both through AI adaptations and changes to our written rules that parallel changes in attacker behavior trends.

This is also where something like company-specific context, such as how a specific company’s users behave, will come into play. To illustrate this point with a simple example, while an engineer accessing Salesforce at almost any company could be cause for suspicion and alert, this wouldn’t be the case for an engineer working at Salesforce itself, reducing a false positive alert (in addition to other contextual configuration based on your org’s security posture/staffing levels).

What happens if there is a false positive?

Set custom eligibility criteria for who can request access to apps

While Crosswire’s ITDR tool—and any tool created with the problem of false positives in mind—will substantially reduce false positives, there’s no (secure) way to eliminate them entirely; they’re a part of the process. Instead of ignoring that reality, Crosswire has instituted gradual remediation to reduce grand fallout from false positives when they happen to minimal inconvenience.

The key philosophy that Crosswire’s ITDR product follows is that the severity of the remediation should match the severity of the alert. For instance, Okta impossible travel is super noisy, and it could be an indicator of compromise or just user activity (like a VPN or actual travel). Instead of immediately instituting an intrusive (deactivate account) or costly (send an alert to a SOC) measure, Crosswire will instead sync with their HR work location and/or send a notification to ask the user to confirm the new location or additional verification before intrusive measures are taken.

Microsoft Windows security auditing Event 4769 illustration.
Example Active Directory Credential Request (Windows EID 4769)

To illustrate, consider an example related to the MITRE Active Directory Credential Request framework where a user requests new active directory credentials, such as a ticket or token. While another pure anomaly detection tool might flag this unilaterally as a compromise, our system takes into account contextual factors. For instance, contextual alerting would flag this as high priority (like revoking the user session) if this is then followed by anomalous Kerberos activity or indications of Pass the Ticket being used to move laterally, but lower priority (like an additional MFA push) for an account that has just switched projects or positions and now needs access to different Active Directory resources.

By tailoring our response to the severity and nature of the alert, we strike a balance between addressing false positives and maintaining a smooth user experience while safeguarding critical systems and data. The bottom line is that you need to be able to trust your security tools, and false positives harm that trust by making users feel as though their tools are only searching for random, insignificant signals because they’re the easiest to find.

White, light blue, dark blue, pink, and orange gradiented background with "Crosswire" and the Crosswire logo in white

To stay up to date with Crosswire and hear more about what we’re doing to make security tools you can trust, contact us for a demo here and subscribe to our blog below!

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read