False Positive vs. False Alert
It is important to differentiate these two since they have very significantly different implications and solutions.
False Positive
A False Positive occurs when an inspection tools makes an incorrect classification or conclusion. The obvious manifestation of this would be a benign file being flagged as malicious, but can manifest in many different ways dependiong on the tool, what is being inspected, and how that is taking place. In some increasingly rare instances, it could even manifest as something malicious being flagged as benign. In these cases, the “error” lies with the tool and it's misclassification. The “solution” here would be to address the tool's inspection (open a ticket with vendor, address and update inspection logic rules, etc...). Too many False Positives can be indicative of a poor quality tool.
False Alert
This is in stark contrast to a False Alert. These typically manifest as Alerts for suspicious or potentially malicious activities, but they are “sanctioned” or allowed. An example here could be an Alert for the installation of remote software (RMM, like AnyDesk), but that tool is the one purchased and paid for by Business for that purpose. In these cases, the “Inspection Tool Logic” is sound, that activity is indeed what transpired, the tool is not “falsely” misidentifying the activity. In most cases, these Alerts are POTENTIALLY indicative of something suspicious (the incorrect RMM tools being installed, for example, would be suspicious), but aren't necessarily absolutely malicious in and of themselves. The “solution” here is much more nebulous; it may be that an application logic and data flow needs to be re-architected, it may be that some Business practices may need to re-align with more modern and secure methods, or it may just be that an exception is needed for these Alerts, it really depends on the fine details of the situation. Too many False Alerts is NOT indicative of a poor quality tool (though an inability to effect except them might be), but if not dealt with sufficiently, can easily lead to that impression.
Negative Effects
Too many Falses, of either type, can lead to significant negative effects. This might be something like Upper Management having a dim opinion of Security Team or their choice Tools. It could lead to lots of unnecessary efforts with ineffective P&Ps. In almost all cases, these can be avoided and addressed by understanding the differences between Falses, and focusing on the underlying causes of the Alerts.
