Security Training
Security Certification
Cyber Security Graduate School
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecurityWhat should I do to mitigate false positives?
False positives must be mitigated as much as possible while still not creating new false negatives.
A few steps that will greatly reduce the number of false positives follow:
- Disable rules that are not relative to your environment. For example if you do not run Apache servers there is no reason to watch for attacks against Apache.
- When using anomaly detection IDS be sure to re-train for new applications as needed.
- Where possible, edit rules that are too broad.
- When rules can not be edited, create tight bypass rules that allow the legitimate traffic to pass without triggering an alert.
- For rules that are situational, be sure they are only enabled where they are relevant. For example, NBT traffic inside a Windows LAN environment is normal yet, the same traffic coming from the Internet may not be normal.
Daniel Owen
www.danielowen.com
Check Them Out!
SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals.
-Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.
