The Economics Of False Positives

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

The topic of false positives within IDS, in fact within any computer related field, has been discussed from a technical perspective on a number of occasions. It is true that abuse of false positives could be used to perform denial of service (DoS) attacks, also that they can be weaponised and used as an attack vector. My brother in arms Finux even recently discussed how false positives can be used to enumerate an IDS system. This is all great, but the problem is that this rarely (never?) translates into the facts and figures that management require in order to decide that false positives are indeed a problem that have a tangible cost impact on the business. As it stands, the only people talking figures are the sales staff of IDS vendors, and the figure they like to talk about is throughput. According to one vendor site, the question (and it seems, the ONLY question) is finding an IPS appliance with exactly the right throughput for your network. We, as defenders, then ask why management are basing buying decisions on same said throughput figures and not the scary, uber-technical jargon we give them. Well, now it's time to harden up and give management what they want, so ultimately we can get our own way. This talk will bridge the gap between all of us 'geek' types (a group of which I am firmly a member) and the aforementioned management types (a group which people seem to think I belong in!). Taking false positive figures from a number of real business entities ranging in size and business area (don't worry, they're anonymised), the aim of this talk is to arm my fellow hackers and testers with the knowledge and, more importantly, the language to put a case forward to the powers that hold the purse strings within our business and ask 'Can I have X amount of budget to mitigate our false positive problem that is costing Y?'

Presenters:

  • Gavin Ewan / Jac0byterebel - Alba13 Research Labs   as Gavin 'Jac0byterebel' Ewan
    Gavin ‘Jac0byterebel' Ewan is a ranty, shouty, sweary Scottish hacker. After selling lots of things to lots of people, he decided to get firmly into the field of information security, always having been a geek at heart. Educated in psychology and economics, Gavin spends his time debunking social engineering myths (the psychology bit) and working out ways to sell infosec to management types (the economics bit) Already a successful speaker, Gavin has delivered talks worldwide to various audiences.

Links:

Similar Presentations: