1 00:00:07,010 --> 00:00:09,410 - [Instructor] The term false positive is a broad term 2 00:00:09,410 --> 00:00:10,910 that describes a situation 3 00:00:10,910 --> 00:00:14,370 in which a security device triggers an alarm, 4 00:00:14,370 --> 00:00:16,150 but there's actually no malicious activity 5 00:00:16,150 --> 00:00:18,840 or an actual attack taking place. 6 00:00:18,840 --> 00:00:20,237 So in other words, 7 00:00:20,237 --> 00:00:23,120 actually false positive are basically just false alarms. 8 00:00:23,120 --> 00:00:26,300 And they're also called benign triggers, right? 9 00:00:26,300 --> 00:00:28,615 Now, false positives are very problematic 10 00:00:28,615 --> 00:00:33,070 and this is because by triggering unjustified alerts, 11 00:00:33,070 --> 00:00:36,381 you can actually diminish the value and urgency 12 00:00:36,381 --> 00:00:37,944 of real alerts, right? 13 00:00:37,944 --> 00:00:39,580 So if you have too many false positives to investigate, 14 00:00:39,580 --> 00:00:42,520 it becomes an operational nightmare 15 00:00:42,520 --> 00:00:46,363 and you most definitely will overlook real security events. 16 00:00:47,340 --> 00:00:49,290 There are also false negatives 17 00:00:49,290 --> 00:00:52,570 and a false negative is a term used to describe 18 00:00:52,570 --> 00:00:53,876 a network intrusion 19 00:00:53,876 --> 00:00:58,876 and a device inability to detect true security events 20 00:00:59,923 --> 00:01:03,400 under certain circumstances, in other words, 21 00:01:03,400 --> 00:01:06,120 a malicious activity that is actually not being detected 22 00:01:06,120 --> 00:01:07,620 by a security device, right, 23 00:01:07,620 --> 00:01:10,600 or a security solution or software. 24 00:01:10,600 --> 00:01:15,130 A true positive is a successful identification 25 00:01:15,130 --> 00:01:17,960 of a security attack or a malicious event. 26 00:01:17,960 --> 00:01:22,400 So there's false positives, false negatives, 27 00:01:22,400 --> 00:01:25,370 true positives, and also true negatives 28 00:01:25,370 --> 00:01:27,464 and a true negative is whenever 29 00:01:27,464 --> 00:01:31,000 the intrusion detection device or the security device 30 00:01:31,000 --> 00:01:33,843 identifies an activity as acceptable behavior 31 00:01:33,843 --> 00:01:37,270 and the activity is actually acceptable, right? 32 00:01:37,270 --> 00:01:40,620 So that's actually a true negative. 33 00:01:40,620 --> 00:01:44,150 Now, traditional IDS and traditional IPS devices 34 00:01:44,150 --> 00:01:46,290 need to be tuned 35 00:01:46,290 --> 00:01:49,410 to avoid a lot of false positives and false negatives. 36 00:01:49,410 --> 00:01:50,243 Right? 37 00:01:50,243 --> 00:01:53,410 One of the beauties of next-generation IPS 38 00:01:53,410 --> 00:01:56,980 is actually that they do not need the same level of tuning 39 00:01:56,980 --> 00:01:58,870 as traditional IPS 40 00:01:58,870 --> 00:02:01,750 and you can obtain much deeper reports and functionality, 41 00:02:01,750 --> 00:02:05,360 including things like advanced malware protection 42 00:02:05,360 --> 00:02:06,867 and retrospective analysis 43 00:02:06,867 --> 00:02:10,180 to see what actually happens after an attack took place. 44 00:02:10,180 --> 00:02:13,780 And we cover some of these in previous lessons, right? 45 00:02:13,780 --> 00:02:16,950 Now, traditional IDS and IPS devices 46 00:02:16,950 --> 00:02:19,980 also suffer from many evasion attacks, right? 47 00:02:19,980 --> 00:02:23,528 Here are some of the most common evasion techniques 48 00:02:23,528 --> 00:02:26,770 against traditional IDS and IPS devices. 49 00:02:26,770 --> 00:02:29,180 That includes things like fragmentation, 50 00:02:29,180 --> 00:02:34,100 using low-bandwidth attacks, address spoofing and proxying, 51 00:02:34,100 --> 00:02:38,400 pattern change evasions, and also encryption, right? 52 00:02:38,400 --> 00:02:42,280 Encryption can be problematic, both for evasion 53 00:02:42,280 --> 00:02:45,770 and secondly, of course, to be able to actually analyze 54 00:02:45,770 --> 00:02:48,793 the data within your organization.