WEBVTT 1 00:00:00.000 --> 00:00:01.230 In this lesson, 2 00:00:01.230 --> 00:00:04.147 we will learn about alert analysis. 3 00:00:04.147 --> 00:00:09.147 Alert analysis is reviewing and interpreting security alerts 4 00:00:09.270 --> 00:00:14.010 to distinguish between genuine threats and benign activity. 5 00:00:14.010 --> 00:00:15.930 Alert analysis concepts 6 00:00:15.930 --> 00:00:20.040 include false positives and false negatives. 7 00:00:20.040 --> 00:00:22.590 False positives occur when a system 8 00:00:22.590 --> 00:00:27.510 incorrectly flags harmless activity as a security threat. 9 00:00:27.510 --> 00:00:29.670 False negatives, on the other hand, 10 00:00:29.670 --> 00:00:34.440 happen when a system fails to detect real security threats. 11 00:00:34.440 --> 00:00:36.960 Let's learn more about false positives 12 00:00:36.960 --> 00:00:40.050 and false negatives as they are associated 13 00:00:40.050 --> 00:00:44.580 with intrusion prevention and detection systems. 14 00:00:44.580 --> 00:00:47.490 First, we have false positives. 15 00:00:47.490 --> 00:00:49.260 A false positive occurs 16 00:00:49.260 --> 00:00:52.530 when an intrusion prevention system or IPS 17 00:00:52.530 --> 00:00:56.010 or an intrusion detection system or IDS 18 00:00:56.010 --> 00:01:00.930 incorrectly flags harmless activity as a security threat. 19 00:01:00.930 --> 00:01:04.140 This can result in unnecessary alerts 20 00:01:04.140 --> 00:01:06.900 and can overwhelm security teams 21 00:01:06.900 --> 00:01:10.500 with investigations into benign activities 22 00:01:10.500 --> 00:01:12.930 that pose no real threat. 23 00:01:12.930 --> 00:01:17.190 Imagine an IPS or IDS that triggers an alert 24 00:01:17.190 --> 00:01:21.960 every time an authorized internal network scan occurs. 25 00:01:21.960 --> 00:01:24.900 This would be similar to a fire alarm going off 26 00:01:24.900 --> 00:01:28.500 when someone cooks bacon for breakfast every morning. 27 00:01:28.500 --> 00:01:32.520 In both cases, while the system is functioning correctly, 28 00:01:32.520 --> 00:01:35.430 it is flagging non-threatening events, 29 00:01:35.430 --> 00:01:39.600 pulling attention away from genuine security risks. 30 00:01:39.600 --> 00:01:44.600 So with an overly sensitive IDS or IPS configuration, 31 00:01:45.300 --> 00:01:49.200 normal business traffic or routine network activity 32 00:01:49.200 --> 00:01:51.960 can be misinterpreted as malicious, 33 00:01:51.960 --> 00:01:56.610 leading to wasted time and resources in investigation. 34 00:01:56.610 --> 00:02:01.200 Managing false positives in IDS and IPS platforms 35 00:02:01.200 --> 00:02:04.830 requires fine tuning the system's detection rules 36 00:02:04.830 --> 00:02:09.830 to minimize noise while still identifying real threats. 37 00:02:09.870 --> 00:02:14.010 For instance, an intrusion detection system or IDS 38 00:02:14.010 --> 00:02:18.120 might block legitimate traffic between trusted endpoints, 39 00:02:18.120 --> 00:02:22.170 like a company's internal server and a client machine 40 00:02:22.170 --> 00:02:25.290 because it mistakenly interprets that activity 41 00:02:25.290 --> 00:02:27.690 as a potential threat. 42 00:02:27.690 --> 00:02:32.610 In this case, the security team may need to create a rule 43 00:02:32.610 --> 00:02:36.930 that allows traffic from the internal server's IP address 44 00:02:36.930 --> 00:02:39.720 to the client machine's IP address, 45 00:02:39.720 --> 00:02:44.040 while maintaining monitoring for any abnormal behavior 46 00:02:44.040 --> 00:02:47.100 outside of this trusted interaction. 47 00:02:47.100 --> 00:02:51.120 This rule might include an allow list entry 48 00:02:51.120 --> 00:02:55.470 that identifies trusted IP addresses or ports 49 00:02:55.470 --> 00:02:57.690 specifying that all traffic 50 00:02:57.690 --> 00:03:02.310 between these sources allowed without raising an alert. 51 00:03:02.310 --> 00:03:06.600 Additionally, the team might adjust the alert thresholds. 52 00:03:06.600 --> 00:03:09.570 So the IDS only flags traffic 53 00:03:09.570 --> 00:03:12.510 if it exceeds specific patterns, 54 00:03:12.510 --> 00:03:16.500 such as an unusually high data transfer rate 55 00:03:16.500 --> 00:03:19.470 or abnormal protocols being used, 56 00:03:19.470 --> 00:03:22.320 which could signal a real threat. 57 00:03:22.320 --> 00:03:26.310 So continuously monitoring and tweaking these rules 58 00:03:26.310 --> 00:03:29.190 ensures the system remains flexible, 59 00:03:29.190 --> 00:03:31.530 capturing actual threats, 60 00:03:31.530 --> 00:03:34.590 while preventing legitimate business activities 61 00:03:34.590 --> 00:03:37.620 from triggering unnecessary alerts. 62 00:03:37.620 --> 00:03:42.030 The impact of false positives can be significant. 63 00:03:42.030 --> 00:03:46.920 Security analysts may spend hours investigating non-issues, 64 00:03:46.920 --> 00:03:50.280 diverting resources from genuine threats. 65 00:03:50.280 --> 00:03:52.050 In high risk environments, 66 00:03:52.050 --> 00:03:56.010 this can lead to delays in addressing actual threats, 67 00:03:56.010 --> 00:03:58.380 giving malicious actors more time 68 00:03:58.380 --> 00:04:00.660 to exploit vulnerabilities. 69 00:04:00.660 --> 00:04:05.660 So ensure that IDS and IPS systems are calibrated correctly 70 00:04:06.810 --> 00:04:08.940 to minimize false positives 71 00:04:08.940 --> 00:04:12.270 by regularly updating detection rules, 72 00:04:12.270 --> 00:04:14.430 customizing alert settings 73 00:04:14.430 --> 00:04:16.530 and training security staff 74 00:04:16.530 --> 00:04:20.970 to distinguish between false positives and true positives, 75 00:04:20.970 --> 00:04:25.710 where a true positive is an alert on an actual issue. 76 00:04:25.710 --> 00:04:28.740 Second, we have false negatives. 77 00:04:28.740 --> 00:04:30.540 A false negative occurs 78 00:04:30.540 --> 00:04:34.860 when an IPS or IDS system fails to detect 79 00:04:34.860 --> 00:04:37.140 an actual security threat, 80 00:04:37.140 --> 00:04:41.430 allowing malicious activity to occur undetected. 81 00:04:41.430 --> 00:04:43.350 This is like a fire alarm 82 00:04:43.350 --> 00:04:46.440 failing to sound during a real fire, 83 00:04:46.440 --> 00:04:50.340 leaving the building and its occupants at risk. 84 00:04:50.340 --> 00:04:53.515 False negatives can be extremely dangerous 85 00:04:53.515 --> 00:04:55.950 to an enterprise network. 86 00:04:55.950 --> 00:05:00.390 If an IDS or IPS misses a malware infection 87 00:05:00.390 --> 00:05:02.280 or an ongoing attack, 88 00:05:02.280 --> 00:05:05.520 an attacker could move laterally throughout the network, 89 00:05:05.520 --> 00:05:08.850 steal data, or disrupt operations 90 00:05:08.850 --> 00:05:12.510 without anyone noticing until it is too late. 91 00:05:12.510 --> 00:05:16.830 Overall, false negatives create a false sense of security 92 00:05:16.830 --> 00:05:19.110 as the security team may believe 93 00:05:19.110 --> 00:05:21.240 everything is functioning normally, 94 00:05:21.240 --> 00:05:26.070 when in reality a threat is active and undetected. 95 00:05:26.070 --> 00:05:29.100 Detecting and minimizing false negatives 96 00:05:29.100 --> 00:05:31.980 requires a multi-layered approach, 97 00:05:31.980 --> 00:05:34.920 combining different detection techniques, 98 00:05:34.920 --> 00:05:37.890 such as signature-based detection, 99 00:05:37.890 --> 00:05:41.880 behavioral analysis, and anomaly detection. 100 00:05:41.880 --> 00:05:45.720 Signature based detection compares network activity 101 00:05:45.720 --> 00:05:47.670 to known threat patterns, 102 00:05:47.670 --> 00:05:51.930 but it can miss new or sophisticated attacks. 103 00:05:51.930 --> 00:05:55.080 Behavioral analysis looks for deviations 104 00:05:55.080 --> 00:05:57.270 from normal network behavior, 105 00:05:57.270 --> 00:05:59.910 which can highlight suspicious activity 106 00:05:59.910 --> 00:06:03.480 even if no known threat signature is present. 107 00:06:03.480 --> 00:06:07.110 And anomaly detection uses machine learning 108 00:06:07.110 --> 00:06:09.270 to flag irregular patterns 109 00:06:09.270 --> 00:06:12.570 that fall outside predefined baselines, 110 00:06:12.570 --> 00:06:15.840 adding yet another layer of protection. 111 00:06:15.840 --> 00:06:19.860 The combination of these methods and not just one of them 112 00:06:19.860 --> 00:06:23.610 is most likely to detect a false negative. 113 00:06:23.610 --> 00:06:26.760 Additionally, using multiple security tools 114 00:06:26.760 --> 00:06:30.150 in conjunction with the IDS and IPS, 115 00:06:30.150 --> 00:06:35.130 like firewalls, antivirus software and endpoint detection 116 00:06:35.130 --> 00:06:37.770 helps to ensure that even subtle 117 00:06:37.770 --> 00:06:41.280 or new types of attacks are identified. 118 00:06:41.280 --> 00:06:45.990 The use of multiple tools provides overlapping protection 119 00:06:45.990 --> 00:06:49.470 so that if one system fails to detect a threat, 120 00:06:49.470 --> 00:06:51.150 another may catch it. 121 00:06:51.150 --> 00:06:54.780 Finally, cross-referencing data between tools 122 00:06:54.780 --> 00:06:57.660 and integrating threat intelligence feeds 123 00:06:57.660 --> 00:07:01.320 allows for even more comprehensive detection, 124 00:07:01.320 --> 00:07:04.140 reducing the risk of false negatives, 125 00:07:04.140 --> 00:07:08.580 as well as improving overall network security. 126 00:07:08.580 --> 00:07:12.420 So remember, alert analysis involves 127 00:07:12.420 --> 00:07:15.630 reviewing and interpreting security alerts 128 00:07:15.630 --> 00:07:18.000 to identify real threats, 129 00:07:18.000 --> 00:07:21.300 while filtering out benign activity. 130 00:07:21.300 --> 00:07:25.260 Two key concepts in this effort are false positives, 131 00:07:25.260 --> 00:07:28.020 where a detection system incorrectly flags 132 00:07:28.020 --> 00:07:30.120 normal activity as a threat, 133 00:07:30.120 --> 00:07:34.710 and false negatives, where real threats go undetected. 134 00:07:34.710 --> 00:07:38.430 False positives can overwhelm security teams 135 00:07:38.430 --> 00:07:40.650 with unnecessary alerts, 136 00:07:40.650 --> 00:07:43.080 wasting time and resources, 137 00:07:43.080 --> 00:07:46.530 and potentially leading to alert fatigue. 138 00:07:46.530 --> 00:07:49.140 So to reduce false positives, 139 00:07:49.140 --> 00:07:52.170 security teams adjust detection rules, 140 00:07:52.170 --> 00:07:54.840 create allow list for trusted traffic, 141 00:07:54.840 --> 00:07:57.480 and monitor system performance. 142 00:07:57.480 --> 00:07:59.910 False negatives on the other hand, 143 00:07:59.910 --> 00:08:03.990 allow malicious activity to occur undetected, 144 00:08:03.990 --> 00:08:06.780 posing a more serious risk. 145 00:08:06.780 --> 00:08:09.690 So detecting false negatives 146 00:08:09.690 --> 00:08:12.450 requires a multi-layered approach, 147 00:08:12.450 --> 00:08:15.330 combining signature-based detection, 148 00:08:15.330 --> 00:08:19.380 behavioral analysis, and anomaly detection. 149 00:08:19.380 --> 00:08:22.020 Then, by using additional tools, 150 00:08:22.020 --> 00:08:26.880 like firewalls, antivirus software and endpoint detection, 151 00:08:26.880 --> 00:08:28.770 security teams can catch 152 00:08:28.770 --> 00:08:31.560 those subtle or sophisticated attacks 153 00:08:31.560 --> 00:08:33.780 that might otherwise be missed, 154 00:08:33.780 --> 00:08:37.110 reducing the occurrence of both false positives 155 00:08:37.110 --> 00:08:41.433 and false negatives for effective threat detection.