At CardinalOps, we talk to many, many security professionals about their security engineering practices, and their Security Information and Event Management (SIEM) solutions. The typical challenges we hear are:
- Teams are overwhelmed with false positives from so many security tools and incorrectly configured rules.
- Despite significant investments, the overall threat coverage of the SIEM cannot be determined or accurately quantified, so security teams really don't know how well they are doing.
- On-prem security tactics don't effectively translate to the cloud.
All of these challenges really point to one issue - the Threat Coverage Gap.
What is the Threat Coverage Gap?
The Threat Coverage Gap is the gap between what your security should be and what it actually is. There are many factors that cause this gap:
- Increasingly complex attack vectors, tools, and rules
- Manual security engineering processes
- Variable threat landscape and IT assets per organization
- Highly dynamic environment
- Difficulty hiring security talent
The result is a highly ineffective SIEM, which results in a gap in threat coverage.
Practical Security Engineering Challenges
We have identified several key issues that create this gap. Unfortunately, the largest contributing factor is an ineffective SIEM. Most SIEMs are not configured correctly, with only 16% of the MITRE ATT&CK framework covered by active rules. Adding to this is that on average, 25% of the rules are broken. Log sources are not used efficiently, with 60% of log sources without a single associated rule. Furthermore, CardinalOps found that 95% of security incident tickets are driven by just 15% of the rules – again, showing that the SIEM is not tuned correctly.
Today’s business climate also drives the gap. Businesses are constantly evolving and changing and it is difficult for security engineers to keep up with all this change. Additionally, it is really difficult to find the right talent and 40% of businesses struggle with staffing shortages. In order to overcome shortages in terms of IT staff and resources, many will go to the cloud – but this introduces a new environment that many security professionals might not be familiar with. This trend will only continue as the cloud market is growing at 19% CAGR.
An under-configured SIEM is not the only cause of the Threat Coverage Gap. Issues with detection products and lack of contextual feedback from asset management and ticketing tools also contribute to the gap.
You can’t fix what you can’t measure: The Threat Coverage Gap
The CardinalOps Threat Coverage Optimization (TCO) Platform leverages the MITRE ATT&CK framework and through automation and AI, identifies gaps in coverage as well as the efficacy of the rules that are in place. The findings are continuously mapped to the framework so you know which attack techniques are covered by your current tool set. The TCO Platform goes one step further and analyzes the rule dependencies to determine the health of the rule and determine if it is working or not.
The TCO Platform will automatically recommend new rules leveraging AI-powered security engineering and automatically implement them once approved by you, increasing your overall threat coverage, which is measured and presented as the Threat Coverage Score.
What is the Threat Coverage Score?
The Threat Coverage Score is a representation of the percentage of the MITRE ATT&CK framework that your organization is able to effectively detect and respond to.
A single quantifiable KPI, the Threat Coverage Score, simplifies communication with senior leadership. Processing a single score and mapping against what is covered in the MITRE ATT&CK framework makes it easy for all to see where the misconfigurations are, as well as missing policies. Security teams can then prioritize changes to your toolset based on which aspects of the MITRE ATT&CK framework they want to cover first. Finally, the team can demonstrate how their threat coverage improves with their increasing Threat Coverage Score.
Up and to the Right is Good
CardinalOps helps address your core security challenges, by fixing rules and rationalizing your security tools, to help you close the Threat Coverage Gap. With CardinalOps’ continuous analysis of your entire security stack, you will know where your exposure is against the threat actors that are most likely to try to penetrate your organization. Your risk is continuously reduced, closing the Threat Coverage Gap, to maximize the protection of your business.