As  a  result,  tracking  MITRE  ATT&CK  coverage  is  an  ideal  metric  to  track  and  report  on  your
            organization’s detection posture.



            The inherent challenges

            Despite the benefits of MITRE ATT&CK, many organizations find it challenging to measure their detection
            coverage and address the highest-priority coverage gaps that can lead to breaches.

            In  fact,  based  on  our  data-driven  research  analyzing  more  than  4,000  rules  across  diverse  SIEM
            platforms in production environments — including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo
            Logic – enterprise SIEMs are typically missing detections for 76% of all MITRE ATT&CK techniques used
            by adversaries. Put another way, using MITRE ATT&CK v13 as the baseline, they are blind to around
            150 techniques used by adversaries.

            Is it lack of caring that prevents organizations from ensuring they have the right detections in their SIEMs?
            Absolutely  not.  The  simple  truth  is  that  effectively  managing  SIEMs  is  incredibly  complex.  New  log
            sources are constantly being added and detection engineers find themselves struggling to keep up with
            the  latest  vulnerabilities  and  changes  in  their  attack  surface.  Plus  they  constantly  find  themselves
            scrambling in a reactive mode after successfully being attacked by Red teams and penetration testers.

            These  challenges  are  compounded  by  the  biggest  challenge:  finding  and  retaining  skilled  detection
            engineers, especially when organizations are at the same time adopting newer SIEMs – such as cloud-
            native SIEMs with unfamiliar query languages – to reduce data ingestion costs.




            What needs to happen: focus on streamlining detection engineering processes
            Automation is widely-accepted as a top priority for improving the effectiveness of the SOC, but until now
            it has only been applied to other areas besides detection engineering, such as incident response (with
            SOAR) and anomaly detection (with behavioral analytics).

            In fact, in most organizations, detection engineering tends to be based on highly-manual processes, tribal
            knowledge, and individual “ninjas” rather than formal, documented workflows enabled by automation.

            For example, security teams are often required to manually map detections to MITRE ATT&CK using
            spreadsheets,  which  is  time  consuming  and  error-prone.  And  they  are  responsible  for  manually
            identifying existing detections that are broken or misconfigured, due to missing telemetry or other data
            quality issues, for example (in fact, our research found that on average, 12% of existing detections in
            production  SIEMs  are  broken  and  will  never  fire).  Finally  they  are  also  responsible  for  continuously
            researching the latest exploits and manually developing high-fidelity detections for them.

            These are not tasks that require the creativity of a human. In fact, automation is better at these kinds of
            tasks that are tedious and exhausting for a human practitioner.








            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          198
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.