SIEMs cover less than 20 percent of attack techniques

Security information and event management (SIEM) systems used by enterprises only have detections for 38 (19 percent) of the 201 techniques covered in the MITRE ATT&CK v14 framework according to a new report.

CardinalOps analyzed more than 3,000 detection rules, 1.2 million log sources and hundreds of unique log source types from real-world SIEM instances across Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic.

But the report finds organizations have the potential to cover 87 percent of all MITRE ATT&CK techniques with the data they are already ingesting in their SIEMs. However, nearly one in five SIEM rules are broken. The findings show that 18 percent of SIEM rules will never fire due to a common issue like misconfigured data sources and missing fields.

Multiple SIEM environments are on the rise too with 43 percent of organizations reporting having two or more SIEMs in production. Reasons for this include seeking cost savings, multiple business units, and a need to abide by regulatory requirements.

"These findings highlight the difficulty that organizations face in building and maintaining effective detection coverage," says Yair Manor, CTO and co-founder at CardinalOps. "Security teams continue to struggle with getting the most out of their SIEM and worse, often falsely believe that they are protected when in reality they are at great risk."

The reasons for this lack of coverage are cited as, complexity, constant change, manual and error-prone processes, difficulty finding and retaining skilled staff, and that the fact that there's no 'one size fits all' solution.

You can get the full report from the CardinalOps site.

Image credit: Arwagula/Dreamstime.com