Security information and event management (SIEM) systems remain the pillar of a security operations center (SOC), recalls the Israeli publisher CardinalOps in a recent study devoted to this IS protection tool. The report focuses in particular on evaluating the detection coverage of current SOCs. To do this, a mass of configuration data from different SIEM tools in production (including Splunk and Microsoft Cardinal) was combed through, taking into account more than 10,000 detection rules and more than 1.2 million sources. of logs over a period of four years.
To measure the effective reach of SIEM tools against cyber threats, the study relies on MITER’s ATT&CK repository which, according to CardinalOps, is used by most companies and today describes more than 500 techniques and sub-techniques used by the main cyberhacker gangs.
The results of this analysis reveal that 81% of MITER ATT&CK techniques are not detected by SIEMs in production. In fact, Security Operations Centers (SOCs) cover on average only 38 out of 201 techniques, or 19% of the techniques potentially used by malicious actors. Additionally, nearly nine out of ten SIEMs were found to collect enough data to cover all techniques. The solution would therefore not lie in collecting more data, but rather in adjusting detection engineering processes.
According to CardinalOps, 18% of SIEM rules are faulty and never fire due to common issues like misconfigured data sources and missing fields. These problems are often due to permanent changes to the IT infrastructure, changes to the log format by suppliers, as well as logical or accidental errors when writing the rules.
The analysis of a specialist in French-speaking Switzerland
Results which do not surprise the specialist contacted by the editorial staff. According to David Routin, SOC manager at the French-speaking service provider e-Xpert Solutions SA, many MITER ATT&CK techniques are not detected because very often, conditions defined in the repository are used in companies legitimately (many MITER ATT&CK rules are by example related to the use of PowerShell). “It is essential to understand that although detecting 100% of the techniques in the MITER ATT&CK framework is technically possible, the real challenge lies in the ability to effectively filter false positives to avoid unnecessarily overburdening the security team,” observes the ‘expert. Before explaining that integrating a lot of data into a SIEM, using the approach called “input-driven model”, is not necessarily relevant. “It is better to favor quality over quantity,” summarizes David Routin, e-Xpert Solutions having opted for the “output-driven model”: “The general idea being that if we send something into the SIEM , is that we really need it, that there are use cases behind it, or that the cost of collection will make it possible to cover different use cases.”
The e-Xpert Solutions specialist is also aware of the risks posed by possible failures in the configured SIEM rules. To prevent this type of breach, the teams of the French-speaking service provider are implementing solutions for its customers via “an automated Purple Teaming approach”. The idea is to test the different use cases via continuous attack simulations, thus permanently ensuring that the entire detection chain, from collection to alarm, works perfectly.
