Security information and event management (SIEM) systems only have detections for 24 percent of the 196 techniques in MITRE ATT&CK v13, according to a new report.<\/p>\n\n\n\n
“This implies that adversaries can execute around 150 different techniques that will be undetected by the SIEM,” says the CardinalOps report. “Or stated another way, SIEMs are only covering around 50 techniques out of all the techniques that can potentially be used by adversaries.”<\/p>\n\n\n\n
The Third Annual Report on the State of SIEM Detection Risk<\/a> by detection posture management vendor CardinalOps is based on analysis of configuration metadata from a wide variety of SIEM instances, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, across verticals that include banking and financial services, insurance, manufacturing, energy, media and telecom, professional and legal services, and managed security services providers (MSSPs) and managed detection and response (MDR) vendors.<\/p>\n\n\n\n See the Top SIEM Solutions<\/a><\/strong><\/p>\n\n\n The researchers also found that 12 percent of all SIEM rules are broken and will never fire due to issues like misconfigured data sources, missing fields, and parsing errors.<\/p>\n\n\n\n “Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice, creating a false impression of their detection posture,” the report states.<\/p>\n\n\n\n Key reasons for that gap, according to CardinalOps, include complexity, constant change, the unique nature of each enterprise, error-prone manual processes, and challenges in hiring and retaining skilled personnel.<\/p>\n\n\n\n Also read: 5 Ways to Configure a SIEM for Accurate Threat Detection<\/a><\/strong><\/p>\n\n\n\n At the same time, CardinalOps found that SIEMs already ingest enough data to cover 94 percent of all MITRE ATT&CK techniques. “This suggests we don’t need to collect more data, but rather we need to scale our detection engineering processes to develop more detections faster,” the report states.<\/p>\n\n\n\n Security layers monitored by SIEMs, according to the findings, include Windows (96 percent), Network (96 percent), Identity and Access Management (96 percent), Linux\/Mac (87 percent), Cloud (83 percent), and Email (78 percent).<\/p>\n\n\n\n Still, just 32 percent monitor containers<\/a>. “One explanation for this might be that, due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge and they are likely to bring a significant volume of data to SIEM platforms,” the report suggests. “Another explanation might be that detection engineers are challenged by the prospect of writing high-fidelity detections to alert on anomalous activity for these highly-dynamic assets.”<\/p>\n\n\n\n The report offers four key recommendations to enhance SIEM detection coverage and quality \u2014 starting with reviewing current SIEM processes.<\/p>\n\n\n\n The other three recommendations are:<\/p>\n\n\n\n As part of the first step of reviewing current processes, the report offers a number of avenues for inquiry:<\/p>\n\n\n\n \u2022 Threat analysts and threat intelligence<\/a><\/p>\n\n\n\n \u2022 Breach and attack simulation (BAS) tools<\/a><\/p>\n\n\n\n \u2022 News about high-profile attacks and vulnerabilities<\/p>\n\n\n\n \u2022 Manual pentesting<\/a><\/p>\n\n\n\n \u2022 Red teaming<\/a><\/p>\n\n\n\n “Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” CardinalOps CEO and co-founder Michael Mumcuoglu said in a statement. “This is important because preventing breaches starts with having the right detections in your SIEM \u2013 according to the adversary techniques most relevant to your organization \u2013 and ensuring they’re actually working as intended.”<\/p>\n\n\n\n Read next: Implementing and Managing Your SIEM Securely: A Checklist<\/a><\/strong><\/p>\n\n\nMisconfigured SIEM Rules<\/h2>\n\n\n\n
Plenty of Data, Not Enough Detections<\/h2>\n\n\n\n
Key Steps to Take<\/h2>\n\n\n\n
\n
\n
\n