Articles & Thought Leadership | 7 min read

Addressing Email Security's False Positive Problem


Arjun Sambamoorthy
Arjun Sambamoorthy

How are your phishing incident response efforts? Learn more about email security’s false positive problem and help your organization contain it.

This original version of this article was published on ITProPortal.

Microsoft recently announced that it would allow users to sift through emails flagged as phishing attacks by Exchange Online Protection (EOP). While this new capability for end-users to reclaim emails accidentally marked as spam or phishing has good intentions, it also highlights email security’s false positive problem.

Effective phishing incident response is often thwarted by email false positives – safe emails incorrectly identified as malicious by security solutions. In addition, email false positives contribute heavily to alert fatigue in cybersecurity. Research from 2018 found that security teams are besieged by 174,000 alerts per week across their security solutions. Unfortunately, they can only review and respond to 6.9% of them.

There is an increasing realization of SOC (security operations center) burnout within the industry, along with an acknowledgment that false positives increase anxiety and reduce security operations’ efficiency.

The move by Microsoft is beneficial for end-users who want to reclaim emails accidentally marked as spam. Still, it doesn’t solve the security team’s problem if they must review all emails before earmarking them as safe.

It’s a move that still makes sense for Microsoft because they are not an email security company. Instead, their primary responsibility is to provide a functional and reliable email delivery service; operational security comes later.

CISOs and security leaders, however, have to contend with the false positive problem. They must also recognize email security’s unintentional contribution and take steps to start redressing the situation.

Why False Positives Are a Problem In Email Security

Since 96% of phishing attacks start with an email, email security products bear a vital responsibility to shield security teams from unnecessary alerts. Unfortunately, the opposite has happened over the years for many reasons.

Many email security controls are too deterministic 

Analyzing headers, metadata, keywords, or email authentication results (DKIM, DMARC, SPF) often ends in one-shot detection of email threats. Unfortunately, since these detection techniques are binary, they often let bad emails go or keep good emails from getting through.

Security awareness programs have oversensitized end users 

Phishing awareness solutions have certainly impacted their customers’ phishing incident response positively. However, they worsen the false positive problem for security teams when oversensitized end-users report emails en masse to the organization’s abuse mailbox.

Phishing response is manual and repetitive 

False positives are an alert quantity problem and a work quality problem for security teams. Triaging and responding to email threats is still more manual and repetitive than it should be.

In the case of false positives, this results in security analysts performing work that is both nerve-wracking and menial at once. Security teams often shoulder policy creation and upkeep while using basic email security solutions. This adds additional burdens that further eat into their available bandwidth.

Create a Phishing Incident Response Plan 

Let’s face it: false positives are never going away completely. Let’s focus on what CISOs and security leaders should do to contain email false positives and reduce them over time.

Avoid duplicate detection in your email security stack

Email security is currently straddling the line between decades-old legacy solutions and API-based third-party controls that work better with cloud email. If you have multiple email security solutions, make sure they complement each other instead of duplicating efforts (e.g., SEGs and native email security).

If you have duplicate detection techniques, false positives flagged by the first solution will also be flagged by the second solution.

Build a layered email defense 

Once you understand that no security control is infallible, creating a layered defense against email threats rather than relying on one-shot detection is your best option. Multiple layers mean verification points for every email and false positive, resulting in more accurate threat detection and less alert noise reaching security teams.

Consider in-context user education 

While security awareness training works well for many organizations, CISOs should also consider end-user education to minimize alert fatigue for security teams. Contextual education, like explanatory email warning banners, will sensitize users with relevant examples from their inboxes.

Some end-user triage options (mark as safe, report to phishing mailbox) can also help security teams manage their alert loads. Balance is vital, and having end-users perform all email triage is not the answer either.

Look for email security solutions that explain their detections 

Security teams often review false positives and search for more context due to the black box nature of AI-based email threat detection.

Look for email security solutions that explain why the system flags an email as suspicious along with enriched indicators of compromise (IOCs). Having this context readily available will reduce manual investigation and response times.

Ensure that feedback loops capture learnings from false positives 

Alert fatigue is not just down to high alert quantity but also the monotony of performing security tasks you’ve performed a thousand times before. Look for security controls that capture feedback from every email threat, including false positives, to fine-tune future detection and remediation.

Ideally, the learnings from this loop should feed back into your layered email defense, ensuring that similar false positives don’t require manual effort for resolution.

The quantity and multi-faceted nature of email attacks mean that false positives will always be something email security will contend with. However, CISOs can contain false positives by adopting a layered defense as part of their phishing incident response:

  • Invest in complementary detection approaches
  • Tweak security awareness processes
  • Use email security that learns from manual actions

If you’d like more insight on email security trends and real-life examples of targeted email attacks, subscribe to email updates from Armorblox below.

If you’d like more insight on email security trends and real-life examples of targeted email attacks, subscribe to email updates from Armorblox below.

Join the List

Subscribe to Email Updates

Experience the Armorblox Difference

Get a Demo