Enterprises lack detections for more than three-quarters of all MITRE ATT&CK techniques, while 12% of SIEM rules are broken and will never fire due to data quality issues including misconfigured data sources and missing fields.
These were among the results of a CardinalOps report which analyzed real-world data from production SIEMs including from Splunk, Microsoft Sentinel, IBM QRadar and Sumo Logic.
The data covered more than 4,000 detection rules, nearly one million log sources and hundreds of unique log source types, spanning industry verticals ranging from banking and financial services to manufacturing and energy.
The study also indicated that while organizations are implementing “detection-in-depth”—collecting data from multiple security layers including Windows endpoints and email—monitoring of containers lags behind.
Mike Parkin, senior technical engineer at Vulcan Cyber, said the biggest issue he sees is the number of “broken rules” that will never trigger an event.
“While some of them are undoubtedly edge cases that would have been unlikely to trigger an event in any case, many are almost certainly the result of misconfiguration or broken logic,” he said.
John Gallagher, vice president of Viakoo Labs at Viakoo, said two study findings were particularly concerning.
“While it is encouraging to see there is already sufficient data to detect 94% of potential MITRE ATT&CK techniques, it raises the question of what the missing 6% is and how impactful such attacks might be,” he said.
For example, if the missing 6% resulted in catastrophic damage (e.g., an IoT attack vector that is highly damaging) it might put more focus on achieving higher than 94% coverage.
He added that “security layers” is a term defined by CardinalOps and is useful for organizations to plan resources and strategies based on their specific organization. “However, it includes containers but not IoT/OT, which seems like a significant oversight,” Gallagher noted.
For example, IoT/OT is used by almost all organizations (more than the 68% who reported using containers) and is less covered by a security layer within their SIEM than containers are.
“Lack of high-fidelity data and complexity of gaining telemetry is true of both containers and IoT/OT, and more detection capability is needed for both,” he explained.
Parkin pointed out that the challenge for organizations isn’t so much a lack of detection capability as a lack of clean correlation and prioritization capabilities.
“The report implies that there is already enough data to detect the threats, but the events aren’t being brought together,” he said.
Parkin said until organizations can get a clear picture of their threat surfaces, manage their risk and prioritized events to focus on what matters most, there will be problems.
“We have the tools to make it happen,” he said. “But it can be a challenge to get them deployed and configured for best effect.”
Gallagher noted that, as recommended in section 9.4 of the report, having a focus on automation is critical to achieving goals with limited human and financial resources.
“This includes expanding automated detection to include IoT/OT attack vectors, as well as having plans already in place for automated threat remediation,” he said. He added that the challenge is that the attack surface has grown well past what the IT organization can support or manage.
Gallagher pointed out that manufacturing, facilities, physical security, logistics and other functional parts of the organization have large numbers of vulnerable network-connected devices.
“To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure,” he said.
He notes threat actors are highly skilled at focusing their efforts on exploits that are hard to detect, hard to defend against and hard to remediate.
“This can be seen by the increased volume and velocity of DDoS attacks from botnet armies,” he said. “Those botnets are often placed in and managed from IoT/OT devices that lack detection and remediation capabilities. Inability to detect is directly tied to ability to breach.”
Parkin added that cybersecurity professionals are already dealing with massive volumes of event data, and it can be difficult to know how to correlate it all into something actionable.
“Our tools are supposed to do it for us, preferably without requiring a lot of customization,” he said. “But therein lies the problem. We’re each operating in a unique environment with its own challenges, tools, threat surface and appetite for risk, and it’s hard for any tool to figure it out without a lot of help.”