According to reports, 80% of cyberattack techniques are evaded detection by SIEMs

According to reports, 80% of cyberattack techniques are evaded detection by SIEMs ...

According to a new report by CardinalOps, enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by opponents in the wild.

The second annual report on the state of SIEM detection risk examined data from production SIEM instances, including Splunk, Microsoft Sentinel, and IBM QRadar, to better understand security team readiness to see the latest techniques inMITRE ATT&CK, the industry-standard catalog of common adversary behaviors based on real-world observations. This is significant because detecting malicious activity early in the intrusion lifecycle is a critical factor to the company.

CardinalOps analyzed configuration data from real-world SIEM instances to gain insight into the current state of threat detection coverage in modern security operations centers (SOCs). These organizations represent a multibillion dollar and multinational organization, making this one of the largest recorded SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types.

CardinalOps calculated that actual detection coverage is far below what most organizations expect and what SOCs are expected to provide. Even worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they obtain in practice.

The three log sources that are ingested by the SIEM, but are not being used for any detections, are identity sources; SaaS productivity suites such as Office 365 and G Suite, and cloud infrastructure log sources. In fact, 3/4 of organizations that transmit identity log sources to their SIEM, such as Active Directory (AD) and Okta, do not use them for any detection use cases. This appears to be a significant opportunity to increase detection coverage for one of the most critical log sources for strengthening zero trust.

The latest CardinalOps research provides readers with a series of best practice recommendations to assist CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time. These recommendations are based on the experience of CardinalOps'' inside security team and SIEM experts, including Dr. Anton Chuvakin, a former vice president and distinguished analyst at Gartner Research.

Read the full report by CardinalOps.

You may also like: