Study Reveals Alarming Gap in SIEM Detection of Adversary Techniques

Written by

Enterprise Security Information and Event Management (SIEM) solutions are falling short when it comes to detecting and countering cyber-threats.

The claims come from CardinalOps’ 2023 Report on State of SIEM Detection Risk, which examined over 4000 detection rules, one million log sources and various unique log source types from production SIEMs like Splunk, Microsoft Sentinel, IBM QRadar and Sumo Logic.

The study showed that SIEMs can only detect 24% of the techniques listed in the MITRE ATT&CK framework, leaving organizations vulnerable to ransomware attacks, data breaches and other cyber threats.

The findings also revealed that SIEMs already ingest enough data to potentially cover 94% of all MITRE ATT&CK techniques. However, inefficient manual processes for developing new detection and data quality issues contribute to the failure to achieve better coverage.

Read more on the MITRE ATT&CK framework: Security Breaches Are Inevitable, Not Illimitable

“It appears the challenge here isn’t so much a lack of detection capability as it is a lack of clean correlation and prioritization capabilities,” commented Mike Parkin, senior technical engineer at Vulcan Cyber.

“Until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems. We have the tools to make it happen. But it can be a challenge to get them deployed and configured for best effect.”

Additionally, CardinalOps said 12% of all SIEM rules would be broken due to data quality problems, heightening the risk of undetected attacks. While enterprises are increasingly implementing ‘detection-in-depth’ strategies by collecting data from various security layers, monitoring containers lags behind other layers, with only 32% of SIEMs tracking them.

“So, how must IT security teams adapt their strategy in the wake of these findings?” asked John Gallagher, vice president of Viakoo Labs at Viakoo.

“Having a focus on automation is critical to achieving goals with limited human and financial resources. This includes expanding automated detection to include IoT/OT attack vectors, as well as having plans already in place for automated threat remediation.”

More information about SIEMs is available in our recently published white paper here.

What’s hot on Infosecurity Magazine?