From: InfoSec Community Forums
Quoting Diary:
Continuing our theme of False Positives this month, I’d like to talk about the process of managing false positives we encounter in the course of analysis. False positives will almost always show at some point during a security analysis, which leads to unwanted additional work on the part of either the sysadmins, security teams, or both. Even worse, continued false positives can lead to complacency during analysis, where things are ‘assumed’ false because they have been seen before, and allowed to pass as normal when indeed it would be a symptom of malicious behavior.
Managing false positives in our testing and analysis is part of the overall security process, which can be used to identify and eliminate false positives. Pieces of the process which are key to the lifecycle management are:
-
-Configuration Management (we need to know what we have on our hosts, and what it should be doing)
-
-Ports, Protocols, and Services baseline (need to know what we have on the wire, and where it’s going)
-
-Continuous Monitoring (Either monitoring the wire, or the host; this will tell us when a condition occurs which requires our attention)
Leave a Reply