16 InfoSec Courses, 2 Weeks of Training at SANS Virginia Beach 2017. Save $400 thru June 28.

IDFAQ: What should I do to mitigate false positives?

False positives must be mitigated as much as possible while still not creating new false negatives.

A few steps that will greatly reduce the number of false positives follow:

  1. Disable rules that are not relative to your environment. For example if you do not run Apache servers there is no reason to watch for attacks against Apache.
  2. When using anomaly detection IDS be sure to re-train for new applications as needed.
  3. Where possible, edit rules that are too broad.
  4. When rules can not be edited, create tight bypass rules that allow the legitimate traffic to pass without triggering an alert.
  5. For rules that are situational, be sure they are only enabled where they are relevant. For example, NBT traffic inside a Windows LAN environment is normal yet, the same traffic coming from the Internet may not be normal.

Daniel Owen