Researchers have analyzed data from production SIEM platforms from companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that they have detections for just 24% of all MITRE ATT&CK techniques. The adversaries can execute about 150 different techniques that can bypass SIEM detection, while only about 50 techniques are spotted.
MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations that’s aimed at helping organizations detect and mitigate cyberattacks. it has more than 500 TTP that used by the threat actors. It has the playback for those adversaries to deal with.
Despite enterprises’ best efforts to shore up their SIEM postures, most platform implementations have massive gaps in coverage, including missing more than three-quarters of the common techniques that threat actors use to use to deploy ransomware, steal sensitive data, and execute other cyberattacks.
Organizations are largely deluded about their own security postures and “are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice,” This enables the false posture.
The key issue contributing to the current state of SIEM seems to be that even though resources exist for organizations to use knowledge, automation, and other processes to detect adversaries and potential attacks on their environments, they still largely rely on manual and other “error-prone” processes for developing new detections, the researchers noted. This makes it difficult to reduce their backlogs and act quickly to fill gaps in detection.
SIEM require fine-tuning to deliver the best results for the environment they’re deployed. Many organizations have gotten the basics working but haven’t done the fine-tuning necessary to take their detection, response, and risk management strategies to the next level.
A key issue that seems to be tripping up detection in enterprise SIEM deployments is that on average, they have 12% of rules that are broken, which means they will never file an alert when something is amiss. Adversaries can exploit gaps created by broken detections to successfully breach organizations.
Organizations can take several steps to close the gap between what a SIEM is capable of in terms of cyberattack detection, and how they currently are using it.
A key strategy would be to scale SIEM detection-engineering processes to develop more detections faster using automation, something that companies already use widely to great effect in “multiple areas of the SOC, such as anomaly detection and incident response,” but not so much in detection.
One key challenge that organizations continue to face is that the current attack surface which now includes large numbers of vulnerable network-connected devices as well as the typical enterprise network has grown well past what the IT organization is currently capable of supporting or managing.
To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure.
This research was documented by researchers from CardinalOps.