Cyber-Insiders-v9-spreads - Flipbook - Page 21
THE HIDDEN COSTS OF FALSE POSITIVES IN ENDPOINT DETECTION AND RESPONSE
In today’s complex cybersecurity
environment, Endpoint Detection
and Response (EDR) tools are
critical in protecting organisations
from malicious threats. However,
it is essential to acknowledge
that every EDR or security tool
has imperfections.
Those of us who work in
cybersecurity understand that no
tool, process, methodology, or
solution is free of issues. Among
these issues, false positives are
particularly impactful for Security
Operations Centres (SOCs) and
EDR capabilities.
UNDERSTANDING
FALSE POSITIVES
REAL-WORLD
IMPLICATIONS
False positives occur when EDR
tools mistakenly 昀氀ag legitimate
and occasionally business-critical
processes as malicious. This often
happens due to behavioural
indicators, such as:
The consequences of false positives
can be severe. For instance, if a
legitimate corporate VPN agent
on an endpoint is 昀氀agged due to
suspicious network activity and
the process is subsequently killed,
internet access would likely be
terminated to that host. If this
issue was replicated across an
estate, possibly due to a faulty
agent update, the impact could
be as signi昀椀cant as the recent
global IT outage.
•
Making edits to the registry
•
Injecting code into another
process
•
Registering itself to autorun
on startup (a potential sign
of persistence)
•
Performing low-level tasks
with network adapters
While potentially indicative of
malicious behaviour, these
activities can also be part of
legitimate software operations.
When EDR tools misinterpret these
signals, they can take actions
that disrupt normal business
operations – the opposite of what
we need them to do.
In late 2021, Microsoft Defender
generated a series of false positives
across its customer base.
Supporting 昀椀les for the O昀케ce365
suite were 昀氀agged as malicious,
speci昀椀cally related to print jobs
and Azure sensitivity labels. This
heightened sensitivity to the Emotet
malware family was likely due to
increased malicious activity from
that group. As a result, organisations
could not open any Microsoft O昀케ce
products until a 昀椀x was provided.
Similarly, Malwarebytes faced
a signi昀椀cant issue in late 2021
when its web 昀椀ltering component
昀氀agged Google-related domains,
including YouTube, as malicious
and blocked access to those
websites. Alongside the blocking
came a barrage of malware
noti昀椀cations that triggered in
tandem. Users had to turn o昀昀
real-time protection to access
the 昀氀agged domains until
Malwarebytes rolled out a 昀椀x.
IN TODAY’S COMPLEX CYBERSECURITY
ENVIRONMENT, EDR TOOLS ARE CRITICAL
IN PROTECTING ORGANISATIONS FROM
MALICIOUS THREATS.
ADARMA CYBER INSIDERS
|
21