Cyber Safeguards: Do Digital Prophylactics Have Holes?
May 19, 2022
I have had a sneaking suspicion that cyber security vendors were prone to exaggerating the capabilities of their systems. I sit in webinars in which I hear about the exploit of the day. I scan newsfeeds to learn that each cyber security and threat intelligence experts announce with considerable confidence. (Why don’t other cyber security vendors announce the same exploit? Each vendor, it appears to me, finds something unique to explain and then neutralize…. after the fact.) I look at dozens of news releases about cyber security, threat detection, and the ransomware gang wanting citizens of Costa Rica to overthrow the country. So many vulnerabilities, it seems.
“Report: 80% of Cyberattack Techniques Evade Detection by SIEMs” highlights a contrarian report from an outfit named CardinalOps. (You can learn more about the company at this link.) This company, founded in 2020, is involved in the security information and event management business. The acronym is SIEM, and it is bandied about with considerable abandon as a must-know acronym.
The VentureBeat article describes some of the information in the CardinalOps monograph called “The State of SIEM Detection Risk: Quantifying the Gaps in MITRE ATT&CK Coverage for Production SIEMs.”
(The catchy MITRE ATT&CK refers to an MIT Research activity (now MITRE). Here’s how the information is described by MITRE:
a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.)
With the jargon behind me, I want to highlight this passage from the article published by the estimable VentureBeat:
enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.
What the CardinalOps monograph seems to say to me is: “The cyber security vendors’ software and systems don’t work as advertised.”
If I interpret the VentureBeat article correctly, the story ventures into territory avoided by most of those involved in cyber security. Criticizing the dozens, nay, hundreds of cyber defense companies and their services has been a no-no in my experience. Outfits which purport to review these systems rarely suggest that out of a hundred threats, about four out of five will zip right through the defenses.
(Is this way some upscale consultants suggest using layers of security. This phrase means to me: “License lots of systems and maybe the combination will stop threats.” The implication is that if one system is only 20 percent effective and my understanding that each cyber security vendor has some method to stop stuff their experts have identified, the average company only requires five systems running at the same time to reduce risks.)
The VentureBeat article about the CardinalOps report offers:
Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.
Okay, hard data, not soft podcast-grade chatter.
So what’s the fix if you are using popular systems from outfits like the lovable outfit Microsoft, the firm which shipped an update that breaks domain security? The article states:
The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time.
I think this means consulting. No surprise there.
To get a copy of the report, click here and amp up your fear. Email and captcha hoops required. You know, for security.
Net net: Marketing information may not describe accurately cyber security capabilities. Is this news?
Stephen E Arnold, May 19, 2022