Only nearly 25% of all MITRE ATT&CK techniques have been identified by major security information and event management systems, including Microsoft Sentinel, IBM QRadar, Splunk, and Sumo Logic, indicating significant gaps in threat detection among SIEMs, SiliconAngle reports.
Even though most MITRE ATT&CK techniques could be covered by data collected by SIEMs, such systems' manual approach to establishing new detections has been prone to errors, a report from CardinalOps showed. Researchers also found nearly 12% broken SIEM rules that would not notify users regarding data misconfigurations and could increase the likelihood of undetected intrusions. "These findings illustrate a simple truth: Most organizations don't have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs. This is important because preventing breaches starts with having the right detections in your SIEM according to the adversary techniques most relevant to your organization and ensuring theyre actually working as intended," said CardinalOps co-founder and CEO Michael Mumcuoglu.