Report: 80% of cyberattack techniques evade detection by SIEMs

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

According to a new report by CardinalOps, on average, enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.

CardinalOps’ second annual report on the state of SIEM detection risk analyzed data from production SIEM instances, including Splunk, Microsoft Sentinel, and IBM QRadar, to better understand security team readiness to spot the latest techniques in MITRE ATT&CK, the industry-standard catalog of common adversary behaviors based on real-world observations. This is significant because detecting malicious activity early in the intrusion lifecycle is a crucial factor in stopping material impact to the business.

Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.

Using the nearly 200 adversary techniques in MITRE ATT&CK as the baseline, CardinalOps found that actual detection coverage remains far below what most organizations expect and what SOCs are expected to provide. The analysis demonstrates that actual detection coverage remains far below what most organizations expect, and, even worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they get in practice, creating a false impression of their detection posture.

The top three log sources that are ingested by the SIEM, but not being used for any detections, are identity sources; SaaS productivity suites such as Office 365 and G Suite; and cloud infrastructure log sources. In fact, 3/4 of organizations that forward identity log sources to their SIEM, such as Active Directory (AD) and Okta, do not use them for any detection use cases. This appears to be a major opportunity to enhance detection coverage for one of the most critical log sources for strengthening zero trust.

The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time. These recommendations are based on the experience of CardinalOps in-house security team and SIEM experts, including Dr. Anton Chuvakin, head of security solution strategy at Google Cloud, and former VP and distinguished analyst at Gartner Research.

Read the full report by CardinalOps.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

See all articles in Insights

Similar Posts