SECURITY
SECURITY
SECURITY
CardinalOps report finds broken rules in SIEM systems increase cyberattack risks
A new report out today from artificial intelligence-powered security engineering startup CardinalOps Ltd. reveals some disturbing insights into the state of security information and event management detection risk.
The CoadinalOps third annual report on the state of SIEM detection risk analyzed real-world data from major production SIEMs such as Splunk, Microsoft Sentinel, IBM QRadar and Sumo Logic to understand the existing vulnerabilities of these systems. The assessment included data from across various industries, including banking, insurance and manufacturing.
Leading the list of findings in the report was the lack of ability of these systems to detect cyberthreats. Using the MITRE ATT&CK framework as a baseline, the report found that the detection coverage of enterprise SIEMs is far below the expected standards. SIEMs can detect only about a quarter of all MITRE ATT&CK techniques, leaving them vulnerable to a majority of potential cyberattacks.
The report also discusses the issue of data ingestion in SIEMs, finding that the systems are ingesting sufficient data to potentially cover 94% of all MITRE ATT&CK techniques. However, the report notes, the process of developing new detections to reduce backlogs and quickly cover detection gaps suffers from manual and error-prone methodologies. The report suggests that automation could facilitate faster development of more effective detections. It should be noted that CardinalOps provides solutions in that realm.
Another point in the report addresses the issue of broken rules in SIEMs. Approximately 12% of the SIEM rules were found to be broken, meaning they would not alert users because of data quality issues such as misconfigured data sources and missing fields. The broken rules lead to an increased risk of attacks going undetected.
“These findings illustrate a simple truth: Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” said CardinalOps co-founder and Chief Executive Michael Mumcuoglu. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”
Image: Bing Image Creator
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
