UPDATED 09:00 EST / JUNE 13 2024

SECURITY

Report finds enterprise SIEM tools are underperforming in cyberthreat detection

A new report out today from artificial intelligence-powered security engineering startup CardinalOps Ltd. has found that enterprise security information and event management tools are falling short in detecting cyberthreats.

The report, based on the analysis of 3,000 detection rules and 1.2 million log sources from major SIEMs, including Splunk Inc., Microsoft Sentinel, IBM QRadar and Sumo Logic Inc., found that the tools cover only 19% of MITRE ATT&CK techniques, despite having the data to potentially cover 87%.

MITRE ATT&CK is a comprehensive framework that categorizes various tactics, techniques and procedures used by cyber adversaries — a playbook for understanding and defending against different types of cyberattacks. The current MITRE ATT&CK v14 framework covers 201 techniques, but the enterprise SIEMs tested have detections for only 38 of them.

Of the SIEM rules analyzed, 18% were found to be ineffective as they have issues such as misconfigured data sources or missing fields. This means that these rules won’t trigger alerts, leaving possible threats undetected.

The reasons for the gap between the expected coverage and the actual coverage range from the complexity of ever-changing environments creating an expanding attack surface to a continued reliance on manual processes to new and advanced adversary techniques.

The report argues that between endpoint, network, cloud, email, identity and access management and other security tools, security teams are often overwhelmed trying to keep track of each tool’s log format, event type and alert types, which are needed to craft the unique detections for each.

The findings are noted as shining a light on there being no “one-size-fits-all” principle that can be applied to implementing SIEM detections. Since every organization is different when it comes to information technology environments, regulatory requirements, team structures and SIEM processes, copy-and-paste, out-of-the-box detection content from SIEM vendors, managed service security providers, open-source communities and marketplaces doesn’t always work.

The report also found that multiple SIEM environments are on the rise as 43% of organizations reported two or more SIEMs in productions.

“The findings in the CardinalOps report highlight a critical issue in the cybersecurity landscape: the significant gap between SIEM systems’ capabilities and the actual detection coverage they provide,” Tamir Passi, senior product director at software-as-a-service security solution provider DoControl Inc., told SiliconANGLE. “This gap underscores a fundamental challenge for security operations centers worldwide. Fact is, SIEMs are too much of a Swiss army knife. This is why companies should be using purpose-built systems for detection such as SaaS Security Posture Management and Cloud Security Posture Management.”

Image: SiliconANGLE/Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU