In web application security, an ideal security system would correctly evaluate all incoming traffic. All legitimate traffic would be allowed, and all hostile traffic would be blocked.
Unfortunately, in the real world, errors sometimes occur. In threat identification, there are two types of errors: false positives and false negatives.
What Are False Negative Alarms?
A false negative occurs when the security system (usually a WAF) fails to identify a threat. It produces a “negative” outcome (meaning that no threat has been observed), even though a threat exists.
This is the opposite of a false positive alarm, where a system mistakenly identifies legitimate traffic as being hostile. Although false positives can be quite harmful, the consequences of false negatives can be even worse.
What Are the Consequences of a False Negative?
A failure to detect an API security attack often means that the attacker will be able to proceed without being hindered. Depending on the skills, persistence, and intentions of the attacker, this can result in anything from a mild inconvenience to a catastrophic system breach. The possible consequences include:
- Data theft: Large-scale data breaches can be disastrous. They can generate tremendous amounts of bad publicity, damage the organization’s reputation in the marketplace and among its customers, create legal liabilities, and result in punitive fines from privacy regulators.
- Loss of intellectual property: A successful infiltration can result in the subsequent exfiltration of trade secrets and other intellectual property. Depending on the industry, this can ruin profit margins or even destroy a previous position of market leadership
- Ransomware: A successful system penetration can result in the attacker encrypting all its data, and refusing to release it unless a large ransom demand is paid. Ransomware attacks in healthcare are especially common, but this can be a problem in any industry.
How to Reduce False Negatives
Fortunately, there are some strategies that can reduce false negative alarms.
False negatives tend to be produced by security systems that rely exclusively on a negative security model. Under this approach, the system allows all traffic to have access, unless the traffic matches a threat signature or is otherwise identifiable as being hostile. This means that attackers can be successful if they can conduct their attacks so that they do not match common threat patterns or signatures.
This problem can be mitigated by adding an additional layer of positive API security, which makes it much more difficult for attackers to slip through the defenses. Under this approach, the system denies access to all requests except for those that match the characteristics of legitimate, desirable traffic.
Adding a layer of positive security usually requires the addition of a next-gen WAF to the system, since traditional WAFs tend to be based on a negative security approach. Depending on the solution that is chosen, other benefits can be available as well, such as advanced bot management, UEBA-based security, and more.