Security leaders say that Web application firewall (WAF) experts have been analyzing a huge volume of alerts, out of which a vast number has been false positives as well
CIOs point out that security teams can use WAF to allow authorized traffic in and block malicious actors. When false-positive events occur, they result in cluttered alerts feed and blocked authorized traffic, not an ideal network behavior.
Security leaders say that often false-positive events are a result of bad practices or bugs in the application. These result in alert fatigue of the monitoring system. Some events are due to a generic WAF rule or rules which don’t apply to the site working.
IT leaders believe that an effective way to block such false positives is by updating or tweaking of the WAF rules. This at times involves risking the servers and blocking some of the set security rules. But on the positive side, this feed could make an ML detection system sharper and more agile!
Attack Analytics for Cybersecurity
CIOs prefer attack analytics to reduce the volume of alerts received by security departments each day. The Imperva solution is sorted out thousands of alerts into a manageable, prioritized, and investigable issues which give a new meaning to the WAF alerts.
Most of the alerts have information related to a single HTTP request like HTTP parameters, target URL, source IP, etc. CIOs say that Attack Analytics work by providing insights on a breach which includes all URLs targeted by the hackers, number of sources that took part in the attack, and the different types of client tools used in the malicious attack.
When provided with these details, it makes it easier for the security leaders to handle the false-positive cases.
Detecting false positives in Attack Analytics
CIOs say that by implementing the new insights provided by Attack Analytics, it is possible to deploy a statistical strategy to detect false positives. A monitored machine learning platform can be developed that can segregate Attack Analytics issues as false positives.
The model can be based on factors present in an incident like the number of source IPs, browsers, targeted URLs, time of the incident, etc.
Classifying attacks for using ML
Attacks can be classified based on the data of each attack. In such scenarios, true attacks are easy to identify due to obvious factors. The attack stats on each incident, when segmented properly, can provide a list of factors that can then be used to identify potential attacks in the future.
Machine learning can then provide a high level of insights that can be the first defense. Security teams say that on generic standards, false positive to true incidents is around 1:10.
A sufficient number of false-positive cases will help create a complete data set to identify potential cases. They point out that while creating datasets the data must be precise to ensure the efficiency of the ML model.