False positive SIEM alerts


#1

I have a question regarding false positive SIEM alerts. How long, on average, does it take for an analyst to manually triage an alert?


#2

the answer to that question really depends on the culture of the organisation that the analysts works in , for example i had a client where the SIEM was generating humongous amounts of false positive authentication failures , and the security consultancy that was working with the client to get thier SIEM up never at any point mentioned it , this was over a 6 month period - the failures where due to layer two authentication order for the Ethernet ( Dot1Q 1st MAB 2nd) so all the phones and printers and anything else not capable of PKI at layer 2 cut an error against Dot1Q these where just legitimate devices just wanting to use MAB

whats needed here is a shared responsibility model that all the cloud players use for their security , which is the provider is responsible for the infrastructure security and the client is responsible for the security of the data - but in the case of SIEM through a partner etc , the client has a responsibility to weed out these false positives as well there is a shared responsibility no body knows the network better that the people who are actually responsible for it

in this case it was an easy fix at layer 2 or dedicate a switch for all the MAB devices or just change the authentication order port by port

it seems to be a recurring theme in this industry - companies dont do the basics well enough - in security terms they got a big padlock on the front door- but the windows are left wide open