Enterprise SIEMs Missing High Number of MITRE ATT&CK Techniques

New CardinalOps research shows security information and event management (SIEM) solutions aren’t detecting 80% of MITRE ATT&CK adversary techniques.

MITRE ATT&CK is the industry-standard catalog of common adversary behaviors based on real-world observations. The analysis shows actual detection coverage remains far below what most organizations expect. Moreover, many organizations are unaware of the gap between their assumed theoretical security and the defenses they actually have in place.

The data set for this analysis spanned diverse SIEM solutions encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types. They also spanned diverse industry verticals including financial services, manufacturing, telecommunications, and MSSP/MDR service providers.

Using MITRE ATT&CK as the baseline, CardinalOps found that, on average:

• Enterprise SIEMs contain detections for fewer than five of the top 14 ATT&CK techniques employed by adversaries in the wild.
• SIEMs are missing detections for 80% of the complete list of 190-plus ATT&CK techniques.
• Fifteen percent of SIEM rules are broken. That’s primarily due to fields that are not extracted correctly or log sources that are not sending the required data.
• Seventy-five percent of organizations that forward identity logs such as Active Directory and Okta to their SIEM do not use them. That’s concerning because identity monitoring is one of the most critical data sources for strengthening zero trust.
• Seventy-five percent of out-of-the-box detection content provided by SIEM vendors is disabled due to noisiness and customization challenges experienced by detection engineering teams.

These major gaps in detection coverage can be attributed to a number of challenges faced by security operations centers (SOCs) and their detection engineering teams. At the top of the list is constant change in the threat landscape, organizational attack surfaces, and business priorities, combined with increasing complexity resulting from an ever-increasing number of log source types and telemetry from diverse data sources.

Difficulty in recruiting and retaining skilled security personnel is also a major factor. And many enterprises are still relying on manual and error-prone processes for developing new detections, which makes it difficult for engineering teams to scale effectively and reduce their backlogs, according to CardinalOps.

Michael Mumcuoglu is CardinalOps’ CEO and co-founder.

“Our goal with creating this report was not to shame security teams for having blind spots, but rather to draw management-level attention to the disparity between perceived security and actual detection quality and coverage, using MITRE ATT&CK as the benchmark,” he said.  “If we’re spending all this time and money on more security tools, why are we still being hacked? We believe the answer lies in the need to apply automation and analytics to identify and fix misconfigurations in existing tools, as well as remediate the riskiest detection gaps, in order to free detection engineers to focus on more strategic activities such as investigating new and novel attack scenarios.”