Page 198 - Cyber Defense eMagazine September 2023
P. 198
As a result, tracking MITRE ATT&CK coverage is an ideal metric to track and report on your
organization’s detection posture.
The inherent challenges
Despite the benefits of MITRE ATT&CK, many organizations find it challenging to measure their detection
coverage and address the highest-priority coverage gaps that can lead to breaches.
In fact, based on our data-driven research analyzing more than 4,000 rules across diverse SIEM
platforms in production environments — including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo
Logic – enterprise SIEMs are typically missing detections for 76% of all MITRE ATT&CK techniques used
by adversaries. Put another way, using MITRE ATT&CK v13 as the baseline, they are blind to around
150 techniques used by adversaries.
Is it lack of caring that prevents organizations from ensuring they have the right detections in their SIEMs?
Absolutely not. The simple truth is that effectively managing SIEMs is incredibly complex. New log
sources are constantly being added and detection engineers find themselves struggling to keep up with
the latest vulnerabilities and changes in their attack surface. Plus they constantly find themselves
scrambling in a reactive mode after successfully being attacked by Red teams and penetration testers.
These challenges are compounded by the biggest challenge: finding and retaining skilled detection
engineers, especially when organizations are at the same time adopting newer SIEMs – such as cloud-
native SIEMs with unfamiliar query languages – to reduce data ingestion costs.
What needs to happen: focus on streamlining detection engineering processes
Automation is widely-accepted as a top priority for improving the effectiveness of the SOC, but until now
it has only been applied to other areas besides detection engineering, such as incident response (with
SOAR) and anomaly detection (with behavioral analytics).
In fact, in most organizations, detection engineering tends to be based on highly-manual processes, tribal
knowledge, and individual “ninjas” rather than formal, documented workflows enabled by automation.
For example, security teams are often required to manually map detections to MITRE ATT&CK using
spreadsheets, which is time consuming and error-prone. And they are responsible for manually
identifying existing detections that are broken or misconfigured, due to missing telemetry or other data
quality issues, for example (in fact, our research found that on average, 12% of existing detections in
production SIEMs are broken and will never fire). Finally they are also responsible for continuously
researching the latest exploits and manually developing high-fidelity detections for them.
These are not tasks that require the creativity of a human. In fact, automation is better at these kinds of
tasks that are tedious and exhausting for a human practitioner.
Cyber Defense eMagazine – September 2023 Edition 198
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.