A type of behavior or action that seems abnormal when observed in the context of an organization and a user's historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.
An acronym of Cybersecurity Maturity Model Certification.
It is a security framework for Defense Industrial Base contractors to follow. CMMC 2.0 was announced by the Department of Defense in November 2021 and sets forth requirements for safeguarding Controlled Unclassified Information and other regulated data.
A false positive is an alert that incorrectly indicates a vulnerability exists or malicious activity is occurring. These false positives add a substantial number of alerts that need to be evaluated, increasing the noise level for security teams.
False positives may be triggered by a variety of incidents, such as:
The increase of security testing and monitoring tools increases the overall number of alerts security teams receive, which in turn increases the number of false positives coming in to be triaged. These types of security events increase the noise for overburdened security teams, making them more likely to ignore valid security events because they assume they are false positives.
Realistically, security teams cannot and do not need to resolve every single issue exposed by alerts, nor can software development and testing teams analyze each alert. These teams get a high number of alerts and it requires time to investigate each alert. When time-constrained teams continuously receive a high number of alerts, they are more likely to experience alert fatigue and focus on instances where there is a clear issue that needs to be resolved.
False positives increase the likelihood that internal security teams will miss important security events because they believe them to be invalid or simply see too many alerts to investigate each one. False negatives are similarly problematic, because they show that no vulnerability or security issue is present when there actually is a problem that needs to be addressed.
While some number of false positives will be investigated to verify that they do not, in fact, pose a threat to the organization, false negatives are less likely to be investigated as test results appear to indicate that the software is functioning as intended. Both false positives and false negatives can pose a threat to security teams and the organizations they protect.