Organizations operating a security information and event management (SIEM) solution are struggling with one of the biggest problems in cybersecurity today: false positives. In fact, a study by Cisco in 2017 confirms that only 28% of investigated security alerts that pop up on radars are legitimate. Additionally—due to a shortage of personnel—more than 40% of these alerts are being bypassed for investigation.

Despite being useless, these false positives also use up the same amount of time and resources to investigate just like the real ones. The standard approach, which many managed security service providers (MSSPs) incorporate, is to bring in teams of specialists who will attempt to audit each alert. With the survey results already in, how well do you think that would turn out?

In order for a SIEM solution to catch threats, it will need to focus on eliminating false positives, allowing experts to prioritize those that truly require their attention. And these are caused by issues related to technology and processes. Adding more people isn’t the answer.

So without further ado, here are some of the best tips to get rid of false positives and improve the effectiveness of your SIEM.

Context Is Crucial

Many SIEM systems lack this essential ability and it is one of the most important in eliminating false positives. Here’s an example to illustrate this point.

A person receives a report from the SIEM solution that a SQL injection attack has been detected in one of the organization’s servers. That’s a serious matter that needs to be handled as soon as possible, right? Well, it sure is except the company doesn’t run SQL on that particular server, making this alert a false positive.

An ideal SIEM solution is capable of detecting how company systems are configured to determine if there is a possibility for an attack to succeed. Possessing configuration management data in a SIEM solution can give it a huge advantage in reducing some of the most annoying false positives that can come up.

Employ Threat Feeds and Geolocation Data

There are SIEM technologies today that integrate a combination of external data feeds into their systems to provide more accurate results. Using a threat feed can improve the accuracy of events by way of cross-correlation. For instance, if the WHOIS records of an IP block has been identified as coming from a known hacker group, the SIEM solution can raise the criticality of that incident to “high.”

When threat intelligence coming from data feeds is integrated into a SIEM solution, you can provide your customers with better visibility on the threat landscape while also providing context so they can monitor the activities of malicious actors.

It’s also possible to use IP geolocation data so customers can increase or decrease the criticality based on the destination or source of certain network traffic. Combining a SIEM solution with geolocation technology can let providers automate the process of identifying network traffic—be it within the office or remotely.

Apply Log Categorization and Standardization

SIEM systems that are not configured to process security-related data only can create a lot of noise, which in turn leads to false positives. Nonrelevant information such as compliance, performance, and packet traffic data can add unnecessary burdens to organizations.

To overcome this problem, SIEM vendors are advised to incorporate log categorization and standardization with their products. Categorization basically involves adding meaning to events while standardization ensures that events containing common attributes are merged, thus minimizing information overload.

SIEM solutions that only process data related to security incidents will significantly reduce the events per second ratio along with potential false positives.

* * *

SIEM solutions play an integral part in keeping organizations safe from a wide range of threats but irrelevant alerts can take a toll on the specialists that operate them. By heeding the tips provided, you can remarkably lower the number of false positives from your SIEM product.