False Positive in a SIEM


People always try to convince me that SIEM gives a lot of false positives. I am surprised by this accusation of a “Passive” Technology like SIEM that I decided to blog about it. I call SIEM technology to be Passive in the first place because these systems are not changing anything on the IT Infrastructure nor are they Defending against anything. They are simply a “log pattern matching” tool. It’s as true as the logs being fed into it for Matching against what SIEM Industry calls as Correlation Rules. Correlation rules in SIEM are nothing but a set of patterns in the Logs to watch for and alert on.

Lets take an example of a typical SIEM Analysis scenario

Rule in SIEM – Identify Port Scan or Network Scan happening in the Network followed by successful connection on an open port.
Rule Logic – IDS Signature based detection or Pattern Based Detection from Network Firewalls (X number of Port Connections in Y Time from the same IP Address)
Rule Output – Source IP, Destination IP, Port Numbers

Based on the IP Address and Port information, analysis was done on what is happening in the Network between these two machines. At the end of the Analysis the Security Analyst found that the behavior of Source IP is expected or normal and there is nothing malicious about it. He collects the evidentiary data (whether the data collected justifies this behavior or not is a different question but not important at this point in time), follows the Incident Management life cycle and closes this Incident as “False Positive”.

For me, categorization of the Entire Event as False positive is where the problem is. This is not a False Alarm. This Alert did what it was supposed to do or rather designed to do. The Pattern Matcher detected the pattern and triggered an alert. If the pattern is wrong, the pattern needs to be updated and not deemed as False Alarm. From a Security Point of view, this entire Analysis might help in understanding your Network better, Applications better and the Security Gaps better.
In my life, I have come across several instances where such “False Positives” have turned out to be gold mines to gather valuable information about the things happening in your network. Sometimes, such events open our eyes to previously unknown or unseen Security Risks in the organization.

For me they are just “Positives” and there is nothing “False” about it!!!

2 thoughts on “False Positive in a SIEM”

  1. yes you are right!! Rather we should do trending in my opinion to see what are all sources through most of these alerts and why? and those are good indication that something are wrong and need attention to finetune it!!!!

    1. Agreed!!! Trending is the way to go. Analyzing what is normal and what is not normal based on past trends will give a better picture about our Network.
      Most of the recent research in towards big data analytics that will help in better analysis

Leave a Reply to misnomer Cancel reply