Threat Management, Threat Management

SIEMs not detecting a huge percentage of MITRE ATT&CK techniques

(“MITRE Welcome” by tracktwentynine is licensed under CC BY-NC-SA 2.0.)

CardinalOps on Wednesday released its second annual report which said enterprise security information and event management (SIEMs) contain detections for fewer than five of the top 14 MITRE ATT&CK techniques employed by adversaries in the wild.

The report added that SIEMs are missing detections for 80% of the complete list of more than 190-plus ATT&CK techniques, and that 15% of SIEM rules are broken and will never fire, primarily because of fields that are not extracted correctly or log sources that are not sending the required data.

Another pressing issue: Only 25% of organizations that forward identity logs such as Active Directory and Okta to their SIEM actually use them in their detection rules, a concern because identity monitoring has become one of the most critical data sources for strengthening zero trust.

Although enterprises invest lots of time and money in their SOCs, they're still being compromised, said Yair Manor, co-founder and CTO at CardinalOps. Manor said SIEMs are complex to configure, new log sources are constantly being added, and detection engineers find themselves struggling to keep up with the latest vulnerabilities and MITRE ATT&CK techniques.

“As in other areas of the SOC-like incident response, leveraging analytics and automation is one way to make the SOC more effective and get better utilization from the existing security stack,” Manor said.

Andrew Barratt, vice president at Coalfire, said his teams are frequently called in to investigate data compromise events. He said the lack of data in SIEMs has become quite staggering.

“There are still many large organizations that don’t do enough basic logging — let alone model their data sources across the MITRE ATT&CK framework unless they’re using an endpoint tool that actively does that out-of-the-box,” Barratt said. “The more we can attribute the ATT&CK framework’s context to our data sources, the more meaningful our SOC staff’s work. The only challenge it leads to is the bad actor just has to create a new attack pattern that we’re not looking for. That’s when it’s useful to have AI analyzing this data set.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.