Enterprises’ security information and event management (SIEM) postures are falling short in protecting against cyberattacks and detecting threats, according to a recent report by CardinalOps. The study analyzed data from various SIEM platforms, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that these systems only have detections for 24% of all techniques outlined in the MITRE ATT&CK framework. This means that threat actors can employ about 150 different techniques to evade detection, while only 50 techniques are detected.
Despite the fact that SIEM systems have the potential to cover 94% of these techniques, organizations are largely unaware of the gap between their assumed security and the actual security they possess. This creates a false sense of security, leaving enterprises vulnerable to cyberattacks and data breaches. MITRE ATT&CK is a global knowledge base that offers insight into adversary tactics and techniques, aiding organizations in detecting and mitigating cyber threats.
The report’s findings are a result of analyzing over 4,000 detection rules, nearly one million log sources, and hundreds of unique log source types used in SIEM across various industry verticals. These verticals include banking and financial services, insurance, manufacturing, energy, and media and telecommunications.
The researchers identified several factors contributing to the limited efficacy of SIEM systems. One main issue is that organizations still heavily rely on manual processes to develop detections, which are prone to errors and delays. SIEM systems require fine-tuning to deliver optimal results, and many organizations have not prioritized this step. Additionally, on average, enterprise SIEM deployments have 12% of broken rules, rendering them ineffective in raising alerts when suspicious activity occurs.
The MITRE ATT&CK framework plays a critical role in understanding adversary playbooks and behavior. It currently catalogues over 500 techniques and sub-techniques used by threat groups, providing valuable insights for organizations. While 89% of organizations use the framework to reduce security risks, the report reveals that effectively implementing MITRE ATT&CK within SIEM systems remains a challenge.
To address this gap, organizations must focus on automating SIEM detection-engineering processes to develop more detections efficiently. Automation, already widely used in areas such as anomaly detection and incident response, needs to be applied more extensively to detection. The manual nature of detection engineering often relies on specialized experts, limiting its scalability and effectiveness.
Automation is crucial due to the limited availability of human and financial resources. It should be expanded to cover IoT and operational technology attack vectors, and organizations should have plans in place for automated threat remediation. However, organizations still face challenges in managing their expanded attack surface, which includes vulnerable network-connected devices. Collaboration between IT and other parts of the organization is essential to ensure assets are visible, operational, and secure.
In conclusion, enterprises need to recognize the gaps in their SIEM postures and take steps to close them. Automation and fine-tuning of SIEM systems are vital for effective cyberattack detection and response. Organizations must prioritize implementing the MITRE ATT&CK framework within their SIEM systems and leverage its knowledge to enhance their security efforts. With the right tools and configurations in place, organizations can improve their threat detection and response capabilities, ensuring a stronger defense against cyber threats.