False positives are the scourge of the security industry. Investigating threats that turn out to be harmless wastes a security professional's limited time and makes an organization less secure. Time spent looking into what turns out to be a phantom threat could have been better spent investigating alerts that truly pose a danger to an enterprise. Additionally, the more false positives security analysts encounter, the more likely they are to become desensitized to security alerts, causing them to overlook alarms on legitimate threats.
We realize security teams lack the time and resources to research every threat, which is why Cybereason is designed to have a low false positive rate.
To accomplish this, Cybereason approaches security incidents with a different perspective. Our technology enables us not to view security incidents as individual events. To us, security incidents needs to be viewed in the context of what else is happening in your entire IT environment. Our technology provides us with the ability to see everything that is going on across the IT environment, continuously and in real time. When the Cybereason finds any atypical data that's significant to the detection process it is marked as evidence. This is akin to a security analyst having a hunch.
As soon as an activity marked as evidence shows signs of progressing to a suspicion (a Cybereason term that means an incident looks odd, but isn't a full-blown attack), the system links suspicions together until a complete attack story is formed. This story shows the attack's timeline, root cause, affected machines and impacted users.
Treating each suspicion as part of a larger malicious operation instead of an isolated event reduces the amount of threats a security team has to investigate. And fewer threats to investigate decreases the chances of encountering a false positive.
Lital Asher-Dotan is Cybereason's marketing director.