Microsoft recently announced that it would allow users to sift through emails flagged as phishing attacks by Exchange Online Protection (EOP). While this new capability for end users to reclaim emails that were accidentally marked as spam or phishing has good intentions, it also highlights email security’s false positive problem. When asked about the new end user triage capability, a Microsoft representative said: "We understand that managing false positives is important to ensuring email is delivered appropriately, and in the past, end-users weren't granted access to the quarantine to view messages."
Email false positives, which are safe emails incorrectly identified as malicious by security solutions, contribute heavily to alert fatigue in cybersecurity. Research from 2018 found that security teams are besieged by 174,000 alerts per week across their security solutions, only being able to review and respond to 6.9 percent of the alerts. There is an increasing realization of SOC burnout within the industry, along with an acknowledgment that false positives are increasing the anxiety and reducing the efficiency of security operations.
The move by Microsoft is beneficial for end users who want to reclaim emails accidentally marked as spam, but it doesn’t solve the security team’s problem if all emails still have to be reviewed before being earmarked as safe. It’s a move that still makes sense for Microsoft because they are not an email security company. Their primary responsibility is to provide a functional and reliable email delivery service; operational security comes later.
CISOs and security leaders, however, have to contend with the false positive problem, recognize email security’s unintentional contribution, and take steps to start redressing the situation.
Why false positives are a problem in email security
Since the vast majority of attacks start with an email (96 percent), email security products bear a vital responsibility to not overload security teams with alerts that don't need their attention. Unfortunately, the opposite has happened over the years, for a multitude of reasons.
Many email security controls are too deterministic
Just analyzing headers, metadata, keywords, or email authentication results (DKIM, DMARC, SPF) often results in one-shot detection of email threats. Since these detection techniques are binary, they often let bad emails go or keep good emails from getting through.
Security awareness programs have oversensitized end users
Phishing awareness solutions have certainly made a positive impact on their customers’ security preparedness in the face of phishing attacks. However, they end up worsening the false positive problem for the security team when oversensitized end users report emails en masse to the organization’s phishing mailbox.
Phishing response is manual and repetitive
False positives are not only an alert quantity problem, but also a work quality problem for security teams. Triaging and responding to email threats is still more manual and repetitive than it should be - in the case of false positives, this results in security analysts performing work that is both nerve wracking and menial at once. Security teams are also expected to shoulder a lot of policy creation and upkeep responsibility while using email security solutions; this further eats into their available bandwidth whenever they need to tweak policies in the face of rising false positives.
There are many other false positive drivers we can get into, including the acknowledgement that false positives are never going away completely. Given this reality, let’s now focus on what CISOs and security leaders should keep in mind to contain email false positives and reduce them with time.
Best practices to reduce email false positives
Avoid duplicative detection in your email security stack
Email security is currently straddling the line between legacy solutions that have been around for decades and API-based third party controls that are built to work better with cloud email. If you have multiple email security solutions, make sure they complement each other instead of duplicating each other (e.g. SEGs and native email security). If you have duplicative detection techniques, false positives flagged by the first solution will also be flagged by the duplicative solution.
Build a layered email defense
Once you admit that no security control is infallible, the most logical conclusion is to create layered defenses against email threats rather than relying on one-shot detection. Multiple layers mean multiple verification points for every email, and every false positive, resulting in more accurate threat detection and less alert noise reaching security teams.
Consider in-context user education
While security awareness programs work well for many organizations, CISOs should also consider end user education for real-life suspicious emails to minimize alert fatigue for security teams. In-context education like explanatory email warning banners will sensitize users with relevant examples from their inbox. Some end user triage options (mark as safe, report to phishing mailbox) can also help security teams manage their alert loads better. Balance is key here as you don’t want things swinging too far the other way and for end users to perform all email triage.
Look for email security solutions that explain their detections
While this sounds like an obvious point, security teams often spend time reviewing false positives and searching for more context due to the black box nature of AI-based email threat detection. Look for email security solutions that explain why an email has been flagged as suspicious along with enriched indicators of compromise (IOCs). Having this context readily available will reduce manual investigation and response times.
Ensure that feedback loops capture learnings from false positives
Alert fatigue is not just down to high alert quantity, but also the monotony of performing security tasks that you’ve already performed a thousand times before. Look for security controls that capture feedback from every email threat, including false positives, to finetune future detection and remediation. The learnings from this loop should ideally feed back into your layered email defense, ensuring that similar false positives in the future don’t require manual effort for resolution.
The high-quantity and multi-faceted nature of email attacks means that false positives will always be something email security needs to contend with. CISOs can contain false positives by adopting a layered defense, investing in complementary detection approaches, tweaking security awareness processes, and using email security that learns from manual actions.
Arjun Sambamoorthy, Co-founder and Head of Engineering, Armorblox