Enterprise SIEMs miss 76 percent of attack techniques
Security information and event management systems (SIEMs) are missing detections for 76 percent of MITRE ATT&CK techniques that adversaries use to breach their environments, according to a new report.
Produced by CardinalOps, the study analyzes real-world data from production SIEMs -- including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic -- covering more than 4,000 detection rules, nearly one million log sources, and hundreds of unique log source types.
The problem isn't lack of data. SIEMs already have sufficient data to potentially cover 94 percent of all MITRE ATT&CK techniques. But many enterprises are still relying on manual and error-prone processes for developing new detections, making it difficult to reduce their backlogs and act quickly to plug detection gaps.
Quality of rules is an issue too, 12 percent of SIEM rules are broken and will never trigger due to data quality issues such as misconfigured data sources and missing fields, this results in increased risk of breach due to undetected attacks.
Enterprise SIEMs are following best practices and collecting data from multiple security layers such as Windows endpoints (96 percent), network (96 percent), IAM (96 percent), Linux/Mac (87 percent), cloud (83 percent), and email (78 percent). However, monitoring of containers is lagging behind other layers at only 32 percent, despite recent Red Hat data showing that 68 percent of organizations are running containers. This low number could be because it's challenging for detection engineers to write detections to uncover anomalous behavior in these dynamic environments.
"These findings illustrate a simple truth: most organizations don't have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs," says Michael Mumcuoglu, CEO and co-founder at CardinalOps. "This is important because preventing breaches starts with having the right detections in your SIEM -- according to the adversary techniques most relevant to your organization -- and ensuring they're actually working as intended. Based on the experience of our enterprise customers, leveraging automation and detection posture management are critical capabilities for achieving this.”
The full report is available from the CardinalOps site.
Image Credit: Jurgen Priewe / Shutterstock