Security information and event management (SIEM) systems only have detections for 24 percent of the 196 techniques in MITRE ATT&CK v13, according to a new report.
“This implies that adversaries can execute around 150 different techniques that will be undetected by the SIEM,” says the CardinalOps report. “Or stated another way, SIEMs are only covering around 50 techniques out of all the techniques that can potentially be used by adversaries.”
The Third Annual Report on the State of SIEM Detection Risk by detection posture management vendor CardinalOps is based on analysis of configuration metadata from a wide variety of SIEM instances, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, across verticals that include banking and financial services, insurance, manufacturing, energy, media and telecom, professional and legal services, and managed security services providers (MSSPs) and managed detection and response (MDR) vendors.
See the Top SIEM Solutions
Misconfigured SIEM Rules
The researchers also found that 12 percent of all SIEM rules are broken and will never fire due to issues like misconfigured data sources, missing fields, and parsing errors.
“Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice, creating a false impression of their detection posture,” the report states.
Key reasons for that gap, according to CardinalOps, include complexity, constant change, the unique nature of each enterprise, error-prone manual processes, and challenges in hiring and retaining skilled personnel.
Plenty of Data, Not Enough Detections
At the same time, CardinalOps found that SIEMs already ingest enough data to cover 94 percent of all MITRE ATT&CK techniques. “This suggests we don’t need to collect more data, but rather we need to scale our detection engineering processes to develop more detections faster,” the report states.
Security layers monitored by SIEMs, according to the findings, include Windows (96 percent), Network (96 percent), Identity and Access Management (96 percent), Linux/Mac (87 percent), Cloud (83 percent), and Email (78 percent).
Still, just 32 percent monitor containers. “One explanation for this might be that, due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge and they are likely to bring a significant volume of data to SIEM platforms,” the report suggests. “Another explanation might be that detection engineers are challenged by the prospect of writing high-fidelity detections to alert on anomalous activity for these highly-dynamic assets.”
Key Steps to Take
The report offers four key recommendations to enhance SIEM detection coverage and quality — starting with reviewing current SIEM processes.
The other three recommendations are:
- Become more intentional about how you develop and manage detection content
- Build or refresh your use case management processes
- Measure and continuously improve
As part of the first step of reviewing current processes, the report offers a number of avenues for inquiry:
- What is the approach for finding false negatives – and what adversary techniques, behaviors, and threats are being missed?
- How are use cases managed and prioritized? “Typically, we find they’re added to the backlog via an ad-hoc process,” driven by a combination of:
• Threat analysts and threat intelligence
• News about high-profile attacks and vulnerabilities
• Manual pentesting
- How are detections developed today and what is the process for turning threat knowledge into detections?
- How long does it typically take to develop new detections?
- Is there a systematic process to periodically identify detections that are no longer functional due to infrastructure changes, changes in vendor log source formats, etc.?
“Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” CardinalOps CEO and co-founder Michael Mumcuoglu said in a statement. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.