Poor SIEM configuration puts enterprises at risk

Enterprises invest billions annually on SIEM (Security Information and Event Management) software and expect this investment to result in comprehensive threat coverage.

But a new report from AI-powered threat coverage platform CardinalOps shows that on average SIEM deployment rules miss 84 percent of the techniques listed in MITRE ATT&CK.

Add in the fact that multiple rules may be required to fully cover a particular attack technique and the actual MITRE coverage of the average SIEM deployment is likely to be even worse.

The research data shows that an average of 25 percent of SIEM rules are broken and will never fire, primarily due to fields that are not extracted correctly or log sources that are not sending the required data. Yet organizations are completely unaware that these rules are not functioning. In addition, only 15 percent of SIEM rules lead to 95 percent of the tickets handled by the Security Operations Center (SOC), demonstrating that a small percentage of noisy rules overwhelm SOC analysts with distracting false positive alerts.

Maintaining rules is a problem too according to the research, 78 percent of SIEM vendors' 'out-of-the-box' default rules are disabled by customers because tuning and customizing these rules to fit their organization-specific needs is deemed too time-consuming. On average, organizations add just one rule to their SIEM every month

"While it is commonly known that most SIEM deployments are ineffective, this new research validates beyond a doubt the truly poor efficacy of the average SIEM deployment," says Yair Manor, CTO at CardinalOps and principal author of the research study. "If organizations are going to be successful moving forward, it is critical they learn how to optimize their existing security tools and that first comes from better understanding the threat coverage currently in play."

The full report is available from the CardinalOps site.

Image Credit: maxkabakov / depositphotos.com