Cybersecurity: When we talk about the confusion matrix
Confusion Matrix The Confusion Matrix is a table that summarizes the number of true and false predictions made by a classifier. It is used to measure the performance of a classification model. It can be used to assess the performance of a classification model by calculating performance indicators such as accuracy, precision, recall, and F1 score. If you are working with an unbalanced dataset, you had better use the confusion matrix as the endpoint for your machine learning model.
Understanding the Confusion Matrix:
Here are the basic terms that will help us identify the metrics we are looking for.
True Positives(TP): when the actual value is positive and the prediction is also positive.
True negatives (TN): when the actual value is Negative and the prediction is also Negative.
False Positives (FP): when the actual value is negative but the predicted value is positive. Also known as Type 1 error.
False Negatives (FN): When the actual value is positive but the prediction is negative. Also known as type 2 error.
For the binary classification problem we will have a 2 x 2 matrix as shown below with 4 values:
What You Need to Know About False Positives and False Negatives
The difference between false positives and false negatives and how they relate to cybersecurity is important to anyone working in the information security field. Why? Investigating false positives wastes time and resources, and distracts your team from the real network issues (warnings) that are coming from your SIEM.
On the other hand, ignoring false negatives (unprotected threats) increases your cyber risk, reduces your ability to respond to such attackers, and in the event of a hardware data breach, may result in your business being terminated.
What is a False Positive?
A false positive is an incorrectly flagged security alert, indicating that there is a threat, but it does not actually exist. These false/non-malicious alerts (SIEM incidents) increase the noise of overworked security teams and may include software errors, misspelled software, or unrecognized network traffic.
By default, most security teams are accustomed to ignoring false positives. Unfortunately, this practice of ignoring security alerts, no matter how trivial they may seem, can cause alert fatigue and cause your team to miss important alerts related to real/malicious cyber threats (as in the case of a Target data breach. ).
These false alarms account for about 40% of the alerts cybersecurity teams receive every day. In large organizations, these false alerts can be overwhelming and time-consuming.
What is a False Negative?
False negatives are undiscovered cyber threats, ignored by security tools because they are inactive, highly complex (i.e. have no files or can move laterally), or the appropriate security infrastructure lacks the technical capabilities to detect these attacks .
These advanced / stealth cyberthreats can bypass prevention technologies such as next-generation firewalls, antivirus software, and endpoint detection and response (EDR) platforms capable of finding “known” attacks and malware.
No network security or data leak prevention technology can prevent 100% of the threats they encounter. False positives account for 1% (roughly) of malicious software and cyber threats, and most prevention methods are easy to miss.
Strengthening cyber security posture
The presence of false negatives and false positives asks the following questions: Does your cybersecurity strategy include proactive measures? Most security programs rely on preventative and responsive components. — Build strong defenses against attacks that you know the tool exists for. Proactive security measures, on the other hand, include implementing accident response policies and procedures to proactively hunt hidden / unknown attacks.
Thank you for reading
I hope you’ll like it…
If you want to connect me, here’s the LinkedIn URL-
