As CEO of Logpoint, Jesper is an expert on business and cybersecurity innovation.
Security Incident and Event Management (SIEM) is an essential tool for the Security Operations Center (SOC), monitoring the network for suspicious activity and alerting the team to potential issues. It can be supplemented with other technologies to add context to those alerts, but the importance of the SIEM’s role remains undisputed. However, a recent report, The State of SIEM Detection Risk, has taken aim at the technology with some alarming sounding statistics for the third year in a row. So, are SIEM’s failing, or is there more to the report than meets the eye?
The main claim made in the report is that only 24% of the enterprise SIEMs studied had detections in place for the 196 techniques outlined in the MITRE ATT&CK framework, a comprehensive list of the tactics, techniques and procedures (TTPs) adopted by threat actors to craft attacks based on real-world observations. This number has risen from the 16% said to map to the framework in 2021 when the survey was first conducted over a sample base of ten customers. The results are a mean average; some SIEMs will undoubtedly have done better than others.
A Misleading Argument
However, the argument that TTPs are being missed is misleading for several reasons. To start with, the SIEM is not meant to cover the entire framework. Take endpoint attack indicators, for instance, which would only be detected if an Endpoint Detection and Response (EDR) capability were pre-integrated with the SIEM. As that kind of data simply doesn’t end up in logs, most SIEMs will not have detections in place that map to that area of the MITRE ATT&CK framework.
The same applies to other areas of the framework, such as reconnaissance and resource development. This contains numerous TTPs equivalent to 8% of the entire list that it would be nigh impossible to create SIEM alerts for. This is because, quite rightly, the MITRE ATT&CK framework is not designed to work with SIEMs but for security analysts to map adversary behavior.
It’s also wholly unrealistic to expect any SIEM to capture close to 100% of all known threats. In fact, according to an interview with SC Magazine back in 2021 when the first report came out, Adam Pennington, who was then MITRE ATT&CK lead at the nonprofit Mitre Corporation, cautioned, “We’ve recommended against focusing on complete coverage of ATT&CK in the past and continue to do so.” Rather, the focus should be on prioritizing threats based on the organization’s own threat intelligence. As every organization is different, so too will the TTPs that are relevant to them.
Augmenting SIEM
In the same interview, Pennington notes that the detection of MITRE ATT&CK TTPs also requires additional investment beyond SIEM technology. It’s for this reason that we’re seeing technologies such as EDR used to bring in additional data from sources and Security Orchestration Automation and Response (SOAR) and User Entity and Behaviour Analytics (UEBA) to provide context and qualify alerts.
Of course, the vendors behind the report do have their own agenda. As providers of detection engineering, they are keen to illuminate the supposed shortcomings of SIEM technology to justify investment in detection engineering. A relatively new discipline, detection engineering needs to prove its relevance while riding the coattails of SIEM’s success. It’s a process that aims to go beyond writing detection rules and to fill in the gaps not covered by other threat intelligence feeds and so in each case, the findings will be unique to the organization.
As such detection engineering is quite sophisticated, it’s fair to say it is best suited to those with a mature cybersecurity posture. For the majority of businesses, however, who do not have a fully mature posture, the best way to deal with detection engineering is to use prebuilt playbooks that are designed either in-house or by the SIEM vendor to deal with specific threats. Others will choose to outsource their detection engineering to a Managed Security Services Provider (MSSP) who is equipped to perform this for them.
The Future Of SIEM
However, the report’s emphasis on detection misses the point about where the SIEM is going. Modern SIEMs are evolving beyond threat detection and incident response to become valuable threat-hunting tools. Being able to hunt for threats allows the organization to get ahead of an attack and head it off. And by identifying potential vectors or the early signs of an attack, the organization can then reduce the dwell time of the attacker and the longevity of the attack, mitigating its impact.
That said, the report does make some valid claims. It states that SIEMs don’t need to collect more data and that they are already ingesting from sufficient sources and depth. It readily agrees with the SANS 2023 SOC Survey that SIEM and EDR are the two technologies considered critical to an effective SOC and that lone EDR can see attacks missed. But it misses the trajectory the SIEM is on, which will be one of convergence with these complementary technologies. Perhaps the one thing we can agree on is the assertion made by Forrester that the SIEM “remains the operating system of the SOC and isn’t going away.”
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here