Massive Gaps in SIEM Implementations Leave Enterprises Vulnerable
A Troubling Reality
Despite efforts by enterprises to strengthen their security information and event management (SIEM) postures, recent research conducted by CardinalOps reveals that most platform implementations have significant gaps in coverage. These gaps leave organizations exposed to a range of cyberattacks, including ransomware deployment and data theft. The study analyzed data from production SIEM platforms used by companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic. The findings indicate that these platforms have detections for only 24% of all MITRE ATT&CK techniques, meaning that adversaries can bypass SIEM detection using approximately 150 different techniques. In contrast, only about 50 techniques are effectively detected.
A False Sense of Security
The report also highlights a concerning discrepancy between organizations’ perceived security postures and their actual security capabilities. According to the researchers, many organizations are unaware of the gap between the theoretical security they assume they have and the actual security they have in practice. This misconception creates a false impression of their detection posture and puts them at greater risk of cyberattacks.
The Role of MITRE ATT&CK
MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations. It aims to assist organizations in detecting and mitigating cyberattacks. The report’s data draws from the analysis of over 4,000 detection rules, nearly 1 million log sources, and various log source types across industry verticals such as banking, insurance, manufacturing, energy, and media and telecommunications.
Increasing Significance of MITRE ATT&CK
The study emphasizes that MITRE ATT&CK has become the standard framework for understanding adversary playbooks and behavior. Threat intelligence has advanced, leading to a wealth of knowledge in the framework, which currently describes over 500 techniques and sub-techniques used by prominent threat groups. However, the report highlights that utilizing the framework effectively in SIEM deployments remains a challenge for many organizations.
Identifying the Challenges and Solutions
Efficacy Issues in SIEM Implementations
The report identifies several key issues contributing to the inadequacy of SIEM efficacy. One significant problem is that organizations heavily rely on manual and error-prone processes, hindering their ability to develop new detections promptly. Adequate detection requires fine-tuning and efficient deployment, as SIEMs are not standalone solutions. Organizational commitment to ongoing fine-tuning, response, and risk management strategies is crucial for optimal SIEM performance.
Addressing Broken Detection Rules
Further investigation reveals that on average, enterprise SIEM deployments have 12% of rules that are broken. These broken rules, resulting from ongoing changes in IT infrastructure, vendor log format changes, and human errors, create exploitable gaps for adversaries to breach organizations. Organizations must prioritize regular review and maintenance of detection rules to ensure their accuracy and effectiveness.
Scaling the Detection-Engineering Process
To close the gap between an SIEM‘s capabilities and its current utilization, organizations must focus on scaling detection-engineering processes through automation. While automation is already widely used in areas such as anomaly detection and incident response, it is not effectively applied to detection. The report suggests expanding automated detection to include Internet of Things (IoT) and operational technology (OT) attack vectors and developing plans for automated threat remediation.
The Growing Importance of Threat Surface Management
Organizations face the challenge of managing the current attack surface, which now extends beyond traditional enterprise networks to encompass vulnerable network-connected devices. To defend and maintain the integrity of these assets, IT must collaborate closely with other departments to ensure visibility, operational functionality, and security. Clear threat surface management, risk prioritization, and effective tool deployment are crucial in mitigating cybersecurity risks.
Conclusion
The findings of CardinalOps’ analysis underscore the need for organizations to address the significant gaps in their SIEM implementations. By leveraging MITRE ATT&CK and adopting automation in detection-engineering processes, organizations can enhance their security postures and reduce the risk of cyberattacks. It is imperative that organizations recognize the importance of ongoing fine-tuning, threat surface management, and collaboration across departments to effectively protect their digital assets. Failure to do so leaves enterprises vulnerable to malicious threat actors and jeopardizes sensitive data and operations.
Sources:
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Fallout of Cyberattacks: Energy Giants Fall Victim to the MOVEit Menace
- The Vulnerability of Rural Water Systems: Analyzing the Cyber Funding Flows
- The FDA’s SBOM Mandate: A Game-Changer for Open Source Security
- “The Battle for npm: Unleashing an Unprecedented Campaign to Safeguard the Ecosystem”
- Law Firms Under Siege: The Rise of Ransomware and Cyberattacks
- Airline Security Breach: American and Southwest Faced with Hacked Pilot Applicant Information
- The FDA’s SBOM Mandate: Revolutionizing OSS Security Practices