Skip to main content

Security teams face blizzard of false alerts

(Image credit: Shutterstock / Gorodenkoff)

As security teams try to manage a vast enterprise real estate of websites and applications, they are drowning in false positive alerts. These unreliable vulnerability reports cost organizations hundreds of thousands of dollars every year.

This is according to a new report from application security company Invicti Security. Pulling six years worth of data from its security solutions, the company found that the average security team manages more than 500 websites and applications, each of which generates an average of 20 vulnerability reports a year. That brings the number of possible vulnerabilities that need validating to 10,000 per annum.

With many alerts being false positives, the image becomes clear. It takes a team an hour to manually investigate a vulnerability on average, which means they spend almost 10,000 hours a year analyzing unreliable reports. Translated into financial terms, enterprises lose as much as half a million dollars every year, Invicti says.

To make matters worse, as they spend time on manually verifying possible vulnerabilities, security teams are drawn away from actual problems. 

These findings are in line with a similar report, published by security company Deep Instinct. Polling 600  IT and cybersecurity professionals this June, the company found that IT teams usually spend a quarter of the working week (10 hours) addressing false positives.

False positives happen when cybersecurity tools spot potentially dangerous network or app behavior, which turns out to be benign. Lately, many IT teams have been adding multiple new tools to their arsenal, but this has contributed to serious alert fatigue, which is a risk in itself.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.