Virtualization Technology News and Information
Enterprise SIEMs Cover Only 19% of MITRE ATT&CK Techniques Used by Adversaries

CardinalOps released its Fourth Annual Report on the State of SIEM Detection Risk. The report analyzes more than 3,000 detection rules, 1.2 million log sources and hundreds of unique log source types from real-world SIEM instances across Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic.

Using MITRE ATT&CK as the baseline, CardinalOps found that on average:

  • A lack of data is not what is holding SIEMs back - organizations have the potential to cover 87% of all MITRE ATT&CK techniques with the data they are already ingesting in their SIEM

  • Multiple SIEM environments are on the rise - 43% of organizations reported two or more SIEMs in productions

  • Nearly 1 in 5 SIEM rules are broken - 18% of SIEM rules will never fire due to a common issue like misconfigured data sources and missing fields

  • Detections are lagging current attack methods - enterprise SIEMs only have detections for 38 (19%) of the 201 techniques covered in the MITRE ATT&CK v14 framework

"These findings highlight the difficulty that organizations face in building and maintaining effective detection coverage," said Yair Manor, CTO and Co-Founder at CardinalOps. "Security teams continue to struggle with getting the most out of their SIEM and worse, often falsely believe that they are protected when in reality they are at great risk."

To help organizations address their detection challenges, the 2024 CardinalOps report also includes a series of best practices to help SOC teams measure and continuously improve the robustness of their detection posture over time.

Published Friday, June 14, 2024 7:43 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2024>