CISOs and security operations teams attempting to protect enterprise networks, data and assets face growing complexity. The constantly increasing attack surface, number of data sources, attack vectors, and correlation rules create the Gordian’s Knot of security.
Companies are constantly adding, retiring, and upgrading different log source types – while at the same time adding new detections for the latest threats and vulnerabilities and changing specific monitoring targets and exclusions. Adding another layer to untangle, newly integrated IT applications or security tools create massive volumes of new data and log sources which in turn create new security alerts and potential new vulnerabilities.
Why CISOs can’t untangle the web
In theory, a CISO can rely on a SOC to function as the central nervous system of the organization’s security – the one place they can turn to gain some peace of mind, or at least rely on to report if something goes wrong. But for most SecOps teams their SIEM – whether it’s Splunk, Microsoft Sentinel or IBM QRadar –
has hundreds of detection rules that have been added over time, multiplying the number of alerts that fire each day. With the SOC receiving thousands or even tens of thousands of alerts per day, SOC teams don’t always know which detection alert rules are functioning properly, or even how many may have broken and are nonfunctional. Without this crucial visibility, CISOs don’t know where the gaps are and the SOC cannot make an accurate report to the CISO.
SOC teams are stuck with data that’s hard to ingest, yet are in a position where they have no room for error. Attackers only need a single weak link. As adversaries continually evolve their attack vectors, it’s rapidly becoming clear that the traditional, static SIEM processes are woefully under-equipped to handle these progressively growing challenges. Manual, ad-hoc processes are highly error-prone and make it difficult to effectively scale and maintain high-quality detections.
Our internal research shows that 15% of SIEM alert rules are broken and will never fire – most often because of misconfigured data sources and missing fields. This creates a false sense of security, where security teams and CISOs think they’re protected – but only discover that isn’t true when the red team (or worse, an adversary) finds the hidden gap in their defenses and exploits it.
Cut through the complexity
As leaders, CISOs are responsible for getting ahead of this evolving threat landscape and must prepare their teams and organizations. However, it’s important to acknowledge that no “one-size-fits-all” approach exists — the landscape constantly changes, and all enterprises are unique, making it impractical to copy-and-paste generic content. So, how can CISOs drive success for their teams and protect their organization?
The MITRE ATT&CK framework has become a standard for measuring attack preparedness, but SOC teams often find this even difficult to measure. Security pros say they have a hard time visualizing the framework and it’s even harder to communicate to other members of the C-suite. With no easy way to map current threat detection coverage to the MITRE ATT&CK standard, it’s easy for blind spots to exist.
In fact, actual detection coverage remains far below what most organizations expect and what SOCs are expected to provide. Based on our research, enterprise SIEM rules only address five of the top 14 MITRE ATT&CK techniques used by adversaries in the wild, and enterprises are missing detections for 80% of all MITRE ATT&CK techniques.
Leading the charge – measurement and visibility
It's clear that organizations, and CISOs specifically, need to become more intentional about detection fidelity and coverage in their SOCs. They need to think about what their SIEM rules are detecting, and if they have use cases for the adversary techniques most relevant to their organizations. Do they actually work? Do they help SOC analysts effectively triage and respond?
CISOs should establish processes to continuously identify, prioritize and remediate gaps in their security monitoring and threat coverage to detect anomalous activity across the MITRE ATT&CK framework. Use cases are the core of security monitoring activities – a structured process to identify, prioritize, implement, and maintain use cases allows organizations to align monitoring efforts to security strategy, choose the best solutions and maximize the value obtained from their security monitoring tools.
Prioritizing these efforts based on technologies and infrastructure that either host or deliver access to the organization's crown jewels, their most valuable data or assets – and the adversary techniques most likely used against them – are the most effective and result in the highest ROI in terms of both threat coverage and asset protection.
Cutting the Gordian Knot – processes and automation
To fight a continuously growing enemy, security teams must adopt continuous improvement. At the end of the day, cyber threat detection processes are no different than other security and IT management processes. As IT modernizes and uses DevOps and SRE approaches, so should the SOC. Visibility and accurate measurement of key performance indicators are important. Many SOC metrics – focused on people, process, and technology – are needed for consistent improvement. CISOs should focus on bringing automated, repeatable, and consistent processes to detection engineering.
Automation and AI are real options that can help CISOs and SOC teams cut through the storm of data. By enhancing visibility and eliminating broken rules and noise, these technologies can help turn this wealth of data from an obstacle into an asset. With the ability to see which rules are working and which are not, and by enabling the automatic deployment of new rules, security teams can leverage the vast array of log sources delivered by various IT and security applications into better protection for the network and the organization.
It's clear from recent studies that SIEM systems will continue to increase in complexity when it comes to detection engineering and management. Therefore, – we view the integration of AI and automation into detection engineering as an inevitability. Staying ahead of constant change in the attack surface and threat landscape will require a platform that’s easy to implement and continuously delivers new detection content and metrics. It will also need to continuously identify and remediate broken rules and misconfigured log sources. This will help the CISO and their SOC teams to proactively close the riskiest detection gaps that leave their organization exposed.
Michael Mumcuoglu, chief executive officer, CardinalOps