It looks like you're new here. If you want to get involved, click one of these buttons!
False Positives and Alarm Notifications in AlienVault USM – Tip of the Month August 2017
Hello, I'm Alan Foster and I am a member of the technical team at AlienVault. I will be sharing some secrets (not really secrets) about AlienVault USM Anywhere and how you can be more effective when it comes to identifying existing and emerging threats, performing incident response and fine-tuning of controls in your environment. Stick around, there is some pretty cool stuff to be covered here!
Today, let's talk about a common use case with False Positives and Notifications for Alerts. There are times when we are too busy to sift through and validate thousands of alarms to determine if they are actionable or not. I can safely say that this painful process would certainly not be a good use of any Security Professional’s time, especially in an environment where new threats and malicious individuals who are constantly probing for weaknesses keep you busy ensuring your environment remains secure. With all the alarms, events and other anomalies that you are receiving, it could be easy to miss the critical information that’s most important.
So what can we do about it?
We have identified the pain points of False Positives and also the challenge of being able to identify potential high-priority issues. We understand that proactive alerting is critical when issues do occur however, it's important to take this a step further. Even though you may not be looking at a dashboard all day, you are still sifting through email alerts that have been forwarded and perhaps you are still spending the same amount of precious time looking through thousands of these notifications in your inbox.
In USM Anywhere, we can help with this and here is how. First, the Suppression Rules functionality allows you to define conditions with attributes right from an Alarm or an Event on demand. See our documentation on Alarm Suppression HERE.
Let's take a look at the example below. We have a "Desktop Software - File Sharing - Dropbox" alarm and in this example, the file sharing is validated and deemed to be a "False Positive." We can easily create a general rule to suppress these going forward.
So what about receiving high severity only alarms leaving out the
lows and medium priorities?
No problem, through Security Orchestration, we can limit the type of alarms you receive in your email. For a good use case, let's say we only want to see high priority alarms come into an inbox (maybe a recipient who is on call). We have already setup rules for false positives which will help significantly, but now we want to take this a step further (from a recipient’s perspective). More on how the alarming priorities in USM Anywhere, work can be found HERE. Let's check it out below…
Enter in a priority value, i.e. anything above 66 is considered
Choose the notification action and enter recipient email
Alarm notification received for a "High Priority"
In summary, we easily configure rules to help suppress false positives, while also creating a rule to only see high-priority alarms received in an email. These two actions significantly reduced "noise" but also help ensure that an end user will only receive high priority alarms that he or she can focus on (and not be inundated with all alarm priorities). This would help ensure that critical items will remain at the forefront and that an end-user can prioritize accordingly.
Thanks for reading and if you have any questions, or if there is a particular topic you would like me to cover please feel free to leave a comment below. See you next time.