CardinalOps Report: Broken Rules in SIEM Systems Heighten Cyberattack Risks

Highlights:

• The evaluation included information from numerous industries, including manufacturing, insurance, and banking.
• About 12% of the SIEM rules were broken in the report, which meant that users would not be alerted due to problems with the data quality.

A new report from CardinalOps Ltd., a security engineering startup powered by artificial intelligence, offers some unsettling data about security information risk and event management detection.

To understand the current vulnerabilities of these systems, the CardinalOps third annual report on the state of SIEM detection risk examined real-world data from important production SIEMs like Microsoft Sentinel, Splunk, IBM QRadar, and Sumo Logic. Data from various industries, including manufacturing, insurance, and banking, were included in the assessment.

The inability of these systems to recognize cyberthreats was the report’s key finding. The report discovered that the detection coverage of enterprise SIEMs is significantly below the anticipated standards using the MITRE ATT and amp;CK framework as a baseline. SIEMs are susceptible to most potential cyberattacks because they can only identify about a quarter of MITRE ATT and amp;CK techniques.

The report also addresses the issue of data ingestion in SIEMs and concludes that the systems are potentially ingesting enough data to cover 94% of all MITRE ATT and amp;CK techniques. The report points out that manual and error-prone methodologies make it difficult to develop new detections that will cut down on backlogs and quickly fill detection gaps. According to the report, automation could speed up the creation of more accurate detections. It is important to know that CardinalOps offers solutions in that area.

The report also discusses the problem of broken rules in SIEMs. About 12% of the SIEM rules were discovered invalid, which means they failed to notify users of data quality problems like incorrectly configured data sources and missing fields. Attacks are more likely to go undetected as a result of the broken rules.

Co-founder and Chief Executive of CardinalOps, Michael Mumcuoglu, said, “These findings illustrate a simple truth: Most organizations don’t have good visibility into their MITRE ATT and amp;CK coverage and are struggling to get the most from their existing SIEMs. This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”