Cybersecurity is an arms race, pure and simple. As one side enhances its offensive capabilities, the other must respond in kind by improving their defenses. Thus, as threat actors became increasingly skilled at circumventing perimeter security through phished or brute-forced credentials, or vulnerability exploitation, network defenders responded by focusing more attention on detection and response. This is where Security Information and Event Management (SIEM) came in.
There’s just one problem. New research highlights what many IT security teams have known for some time: some of the most popular tools on the market have shockingly low detection rates for common attack techniques. This makes it even more important that organizations ensure their most sensitive data assets are encrypted.
Why do organizations rely on SIEM?
SIEM solutions have been around for over 15 years. They’re designed to collect large volumes of event log data from a wide range of disparate assets, including applications, devices, servers and users. They then run analytics on this data in real-time to identify any patterns of suspicious behavior which might indicate threat actor activity inside the network. Over the years, SIEM vendors have added improved visualization, support for data extraction from cloud systems, and automated remediation, among other things.
SIEM tools are meant to make the job of under-pressure security operations (SecOps) analysts easier, by automatically sifting through large volumes of data from various enterprise systems to spot patterns that human eyes might miss. The addition of security, orchestration, automation and response (SOAR) capabilities in more modern offerings further takes the pressure off by streamlining response workflows.
However, SIEM is certainly not a silver bullet.
SIEM is letting security teams down
SIEM already had a bad reputation among some organizations which find it expensive and time-consuming to configure and manage, and prone to overwhelming analysts with alerts. However, new research finds another issue: SIEM tools on average miss 76% of all common (MITRE ATT&CK) techniques used by threat actors.
The study by CardinalOps analyzed real-world data collected from some of the biggest SIEM vendors out there—covering more than 4000 detection rules, nearly one million log sources and hundreds of unique log source types. It found:
- SIEMs only detect around a quarter (24%) of MITRE ATT&CK techniques used in data breaches, ransomware attacks and other threat activity
- Data volume is not a problem: SIEMS already ingest enough to cover potentially 94% of MITRE ATT&CK techniques. However, enterprises are slow to develop new detections in their tooling
- 12% of SIEM rules are broken due to data quality issues like misconfigured data sources and missing fields, meaning they will never work
- Although most SIEMS collect data from assets such as Windows endpoints (96%), networks (96%), Linux/macOS systems (87%) and cloud systems (83%), few do so from containers (32%), which are a growing area of risk exposure
Back to basics
So what does this tell us about enterprise cybersecurity strategies? Certainly, there’s still value in layering up defenses with preventative measures and detection and response capabilities. But the failure of a tool which has for years been the mainstay of the Security Operations Center (SOC) should be cause for concern. It reinforces the need for organizations to protect what matters most: their data.
How should they do so? By choosing tools like comforte’s Data Security Platform, which continuously and automatically discovers and classifies data wherever it’s located in the enterprise, and then applies strong protection. Comforte offers multiple protection technologies including tokenization, which enables organizations to continue using their data for purposes such as analytics without compromising on security. The platform will find data that organizations never even knew existed and ensure it’s kept safe from harm.
That way, even if a SIEM failure allows threat actors into the network, they will have nothing of any value to steal.