Adrian Johnson
TLDR:
Only 19% of MITRE ATT&CK techniques leveraged by threat actors could be detected by major enterprise SIEM tools, despite the presence of data that could allow the identification of 87% of such techniques. Misconfigured data sources and incomplete fields hindered the functionality of 18% of analyzed SIEM rules. The study from CardinalOps attributed SIEM detection gaps to an expanding attack surface, more sophisticated attack techniques, and persistent use of manual processes.
In a recent study, it was found that major enterprise security information and event management (SIEM) tools are lagging behind in their cyber threat detection capabilities. Only 19% of the MITRE ATT&CK techniques used by threat actors could be detected by popular SIEM tools from companies like Microsoft, Splunk, IBM, and Sumo Logic. This is despite the fact that data is available that could potentially allow the identification of 87% of these techniques.
The study by CardinalOps revealed that misconfigured data sources and incomplete fields were contributing factors that hindered the functionality of 18% of the analyzed SIEM rules. The gaps in SIEM detection capabilities were attributed to the increasing complexity of cyber threats, an expanding attack surface, and the continued reliance on manual processes.
Tamir Passi, the Senior Product Director at DoControl, noted that the disparity between the capabilities and detection coverage of SIEM systems poses a significant challenge for security operations centers worldwide. Passi suggested that companies should consider using purpose-built systems for detection, such as SaaS Security Posture Management and Cloud Security Posture Management, to address the shortcomings of SIEM tools.
