"Study Reveals Alarming Gap in SIEM Detection of Adversary Techniques"

According to security researchers at CardinalOps, Enterprise Security Information and Event Management (SIEM), solutions are falling short when it comes to detecting and countering cyber threats.  During the study, the researchers examined over 4000 detection rules, one million log sources, and various unique log source types from production SIEMs like Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic.  The researchers found that SIEMs can only detect 24% of the techniques listed in the MITRE ATT&CK framework, leaving organizations vulnerable to ransomware attacks, data breaches, and other cyber threats.  The researchers also found that SIEMs already ingest enough data to potentially cover 94% of all MITRE ATT&CK techniques.  However, inefficient manual processes for developing new detection and data quality issues contribute to the failure to achieve better coverage.  Mike Parkin, a senior technical engineer at Vulcan Cyber, stated that it appears the challenge here isn't so much a lack of detection capability as it is a lack of clean correlation and prioritization capabilities.  Parkin noted that until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems.  The researchers at CardinalOPS stated that 12% of all SIEM rules would be broken due to data quality problems, heightening the risk of undetected attacks.  The researchers noted that while enterprises are increasingly implementing "detection-in-depth" strategies by collecting data from various security layers, monitoring containers lag behind other layers, with only 32% of SIEMs tracking them.

Infosecurity reports: "Study Reveals Alarming Gap in SIEM Detection of Adversary Techniques"