A new report out today from artificial intelligence-powered security engineering startup CardinalOps Ltd. reveals some disturbing insights into the state of security information and event management detection risk.

The CoadinalOps third annual report on the state of SIEM detection risk analyzed real-world data from major production SIEMs such as Splunk, Microsoft Sentinel, IBM QRadar and Sumo Logic to understand the existing vulnerabilities of these systems. The assessment included data from across various industries, including banking, insurance and manufacturing.

Leading the list of findings in the report was the lack of ability of these systems to detect cyberthreats. Using the MITRE ATT&CK framework as a baseline, the report found that the detection coverage of enterprise SIEMs is far below the expected standards. SIEMs can detect only about a quarter of all MITRE ATT&CK techniques, leaving them vulnerable to a majority of potential cyberattacks.

The report also discusses the issue of data ingestion in SIEMs, finding that the systems are ingesting sufficient data to potentially cover 94% of all MITRE ATT&CK techniques. However, the report notes, the process of developing new detections to reduce backlogs and quickly cover detection gaps suffers from manual and error-prone methodologies. The report suggests that automation could facilitate faster development of more effective detections. It should be noted that CardinalOps provides solutions in that realm.

Another point in the report addresses the issue of broken rules in SIEMs. Approximately 12% of the SIEM rules were found to be broken, meaning they would not alert users because of data quality issues such as misconfigured data sources and missing fields. The broken rules lead to an increased risk of attacks going undetected.

“These findings illustrate a simple truth: Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” said CardinalOps co-founder and Chief Executive Michael Mumcuoglu. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”

Image: Bing Image Creator