CardinalOps released its Third Annual Report on the State of SIEM Detection Risk.
The report analyzes real-world data from production SIEMs - including
Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic - covering more than
4,000 detection rules, nearly one million log sources, and hundreds of unique
log source types.
The data spans diverse industry verticals including banking
and financial services, insurance, manufacturing, energy, media &
telecommunications, professional & legal services, and MSSP/MDRs.
Assessing and Strengthening SIEM Effectiveness
According to industry analysts, the SIEM continues to be the
"operating system of the SOC" and is not going away anytime soon.
However, most organizations face the challenge of how to
continuously assess and strengthen the effectiveness of their existing SIEMs,
using standard frameworks like MITRE ATT&CK to measure their readiness to detect
the highest-priority threats. This is a major challenge because organizations
have to grapple with constant change in adversary techniques plus constantly
expanding attack surfaces, combined with the difficulty of hiring and retaining
skilled detection engineers.
These challenges are clearly illustrated in data from this
year's SIEM Detection Risk report. Using MITRE ATT&CK as the baseline, CardinalOps found
that, on average:
- Actual detection
coverage remains far below what most organizations expect: Enterprise SIEMs
only have detections for 24% of all MITRE ATT&CK techniques. That
means they're missing detections for around three-quarters of all
techniques that adversaries use to deploy ransomware, steal sensitive
data, and execute other cyberattacks.
- SIEMs don't need more
data: SIEMs
are already ingesting sufficient data to potentially cover 94% of all
MITRE ATT&CK techniques. But many enterprises are still relying on
manual and error-prone processes for developing new detections, making it
difficult to reduce their backlogs and act quickly to plug detection gaps.
A more effective strategy would be to scale SIEM detection engineering
processes to develop more detections faster, via automation.
- Broken rules are also
common: 12%
of SIEM rules are broken and will never fire due to data quality issues
such as misconfigured data sources and missing fields - resulting in
increased risk of breach due to undetected attacks.
- Organizations are
implementing "detection-in-depth"- but monitoring of
containers lags behind: Enterprise SIEMs are following best practices and
collecting data from multiple security layers such as Windows endpoints (96%),
network (96%), IAM (96%), Linux/Mac (87%), cloud (83%), and email (78%).
But monitoring of containers lags far behind other layers at only 32%,
despite Red Hat data showing that 68% of organizations
are running containers. This low number could be because it's challenging
for detection engineers to write high-fidelity detections to uncover
anomalous behavior in these highly-dynamic environments.
"These findings illustrate a simple truth: most
organizations don't have good visibility into their MITRE ATT&CK coverage
and are struggling to get the most from their existing SIEMs,"
said Michael Mumcuoglu, CEO and Co-Founder at CardinalOps. "This is
important because preventing breaches starts with having the right detections
in your SIEM - according to the adversary techniques most relevant to your
organization - and ensuring they're actually working as intended. Based on the
experience of our enterprise customers, leveraging automation and detection
posture management are critical capabilities for achieving this.
To help organizations address their detection challenges,
the 2023 CardinalOps report also includes a series of best practices to help
SOC teams measure and continuously improve the robustness of their detection
posture over time.
You can download the full report here.