False Positive Reduction

A false positive is fake alert raised by a security device of an organization in the event of a misguiding violation. Typically 98 per cent of the alerts raised by the IDS are false positives and an organization wastes precious time and resources distinguishing a false positive from an actual alert. RSEM is an effective tool that helps in reducing these false alarms.
There are numerous reasons that result into false positives. Some of them are as follows:

Deperimeterisation and operational requirements

With the deperimeterisation of the network there are numerous amount of risks and vulnerabilities to which an organization’s network is exposed. Most of these vulnerabilities and risks are functionality hazards that an organization is aware of but is bound to carry on with its operations despite the threats that these vulnerabilities and risks possess. 

However, the security devices acquired by an organization such as IPS/IDS/HIPS, firewalls, AVs, etc. do not have customization rules that can facilitate operational continuity ignoring these vulnerabilities and risks. These security devices thus do not distinguish the violations of the known risks from the violations of the actual risks and treat these violations as threats or attacks and log them likewise.

RSEM with the aid of its advanced filters can create logic rules that can distinguish a real violation from a fake violation and thus eliminates the problem of false positives arising on account of alerts raised by security devices.