A recent report and its findings by Texas-based IT security firm Advanced Data Analytics (ADA) has many in the MSP space talking. Most notably, the study found that nearly half of incident responders reported false-positives at a rate of 50 percent or more. Twenty-two percent of respondents reported false positives 75 to 99 percent of the time. With the amount of time it takes incident responders to analyze and remediate each false positive, the report tells a story of huge blocks of time lost by MSPs responding to false positives.
Perhaps even more alarming, MSPs include among their strategies for handling oppressive numbers of daily security alerts the narrowing of alert criteria, the turning off of high-volume alerts or, shockingly, ignoring the alerts altogether.
These numbers are not totally surprising. The problem of false positives is a relatively well-known one. A Ponemon Institute study from 2017, for instance, found that an average of 425 hours are lost each week responding to false positives, adding up to a cost of more than $1.2 million per year. The problem is so significant that one of the stated goals of IBM’s software system Watson is to address systems security issues without sounding a chorus of false alarms, according to SecurityIntelligence.com.
With so many dollars and man-hours at stake, an effective solution could make or break an MSP.
A better, cloud-based way forward
Making the switch to a cloud-based cybersecurity provider will put MSPs on the right path to reducing the impact of false positives on business operations. The reason has to do with the way threat definitions are updated via the cloud, versus the old-fashioned definition updates pushed as downloads by traditionalantivirus providers.
To address false positives with old-school definition updates, MSPs must create a service ticket, pass it along to their provider, and wait patiently for them to push a fix to their definition file. At best, this process usually takes at least 24 to 48 hours before making it thought various quality control procedures on to implementation. If it's not a major, buzzworthy issue, it can take weeks to get the attention of an antivirus supplier.
With cloud-based definition updates, on the other hand, false positives can be addressed in mere minutes. As soon as the false positive is recognized and a change is made, the update is made instantaneously across all endpoints. An active cloud-based cybersecurity provider may be pushing routine definition updates as more or less constantly, especially if they’re well-resourced enough to have threat researchers pushing updates across time zones. This means effectively no downtime between the discovery of a new threat and universal protection for the provider’s users.
Custom rules for evaluating new binaries can also help reduce the number of false positives MSPs experience. Creating rules that recognize a unique digital signature as originating from a trusted company, for instance. Product software names and version information can also act as confirmation that a new string of code deserves to be whitelisted, leading to quicker categorization and reducing the chance of a false positive.
Machine learning will also undoubtedly play a crucial role in addressing the problem of false positives. A more robust database—one that can only be assembled with computer-assisted learning—does a better job of changing unknown files to known good ones, once more reducing the risk of false positives.
Opportunity for change
The balancing act involving tight security measures and false positives is a complicated one. But smarter solutions for tackling the problem do exist. For MSPs, cloud-based security solutions and machine learning represent opportunities to reduce the time spent analyzing false-positive threats and to put more time and effort into tackling real security issues.
Webroot was the first in its industry to harness the cloud for cybersecurity. It’s what helps us assist MSPs in providing a better client experience, doing more with the staff on hand, lowering operating costs, and improving margins. If you’d like to talk about how we may be able to help your business, contact us about our partner program, or start your free, 30-day trial of our SecureAnywhere® Business Endpoint Protection.