3 min read time

Detecting MITRE ATT&CK Techniques: Is SIEM effective?

by   in Cybersecurity

Earlier this year, cybersecurity firm CardinalOps published their 2022 Report on the State of SIEM Detection Risk. CardinalOps, who operate a cloud-based AI analytics platform that continuously audits SIEM/XDR/EDR solutions to detect and eliminate MITRE ATT&CK detection coverage gaps, examined aggregated and anonymized real-world data from across 14,000+ log sources, diverse verticals and multiple SIEMs. It was one of the largest recorded samples of actual SIEM data ever analyzed.

Detecting MITRE ATT&CK Techniques Is SIEM effectiveAmong the report’s key findings were the following:

  • On average, enterprise SIEMs only address 5 of the top 14 MITRE ATT&CK techniques used by adversaries in the wild.
  • On average, enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques.

This is concerning because SIEMs form the foundation of modern Security Operations Centers (SOCs), as they collect and monitor log and event data from across the enterprise. As CardinalOps noted in their report, these results show that “detection coverage remains far below what most organizations expect and what SOCs are expected to provide.”

This is a serious issue, but lucky for you, this isn’t a “doom and gloom” article. In fact, I’m here to share news about a SIEM that leads in MITRE ATT&CK integration, security gap evaluation, and in securing your organization against MITRE ATT&CK techniques. Feel free to jump to the bottom if you’re feeling impatient.

The MITRE ATT&CK Framework: A Critical Tool for SOCs

For years, CyberRes has written about the importance of the MITRE ATT&CK framework and how to use it to evaluate and fill gaps in your security environment. In the 2021 State of Security Operations report, CyberRes found that over 50% of organizations feel that implementing a formalized threat modeling framework like MITRE ATT&CK improves their ability to detect advanced threats, while 40% listed “helps identify gaps in our security defenses” as a primary benefit. Additional benefits of these frameworks were also selected by respondents, including an improved ability to remediate affected hosts, greater training on how cyberattacks function, and enhanced visibility for executive management into security stature and risk.

ArcSight: A Leader in MITRE ATT&CK Integration and Coverage

ArcSight is a modern SIEM platform that has been recognized as a customers’ choice, an industry outperformer, and an innovative leader. ArcSight has long been a leader in MITRE ATT&CK integration and has worked it directly into its solution. ArcSight offers out-of-the-box dashboards that map ingested security events to MITRE techniques to give users a real-time view of the top threat techniques facing their SOC, and a clear, birds-eye view of their overall threat exposure and security coverage. CyberRes even offers its own MITRE ATT&CK Navigator to direct users to the supporting ArcSight content and solutions they need to help them fill their security gaps. 

But most importantly, CyberRes recently evaluated the ArcSight portfolio and found that its out-of-the-box detection rules cover*:

  • 100% of all MITRE ATT&CK tactics
  • 92% of all MITRE ATT&CK techniques
  • 76% of all MITRE ATT&CK sub-techniques
  • 14 of the top 14 MITRE ATT&CK techniques used by adversaries in the wild (as highlighted in the CardinalOps report)

When compared to the average SIEM detection percentages from the CardinalOps report, we see ArcSight's coverage is far more effective and wide-reaching.

All Techniques Top 14 Techniques
ArcSight 92% 100% (14/14)
Average SIEM 20% 36% (5/14)

This superb coverage is largely thanks to ArcSight’s 360° security analytics approach and is further supported by its native threat intelligence solution, GTAP (Galaxy Threat Acceleration Program). Once you add ArcSight’s native complimentary SOAR solution into the mix, you’re left with a modern SIEM that offers both extensive threat detection and automated response capabilities, to ease the burden on your security analysts while decreasing your organization’s overall risk.

We invite you to map your current SOC capabilities to the MITRE ATT&CK framework, to evaluate your coverage, and to compare it to our MITRE ATT&CK Navigator in order to see how ArcSight can help you fill in the gaps.

Finally, we encourage you to contact our team. We’d love to chat with you about your security needs, hopes and dreams.

  *Note: For the sake of this evaluation, a tactic/technique was considered covered if at least one of its underlying techniques/sub-techniques was detectable by ArcSight. This was verified as the approach used by CardinalOps in their evaluation. That said, no MITRE ATT&CK tactic can ever be considered as fully covered, as new techniques and sub-techniques are frequently discovered and implemented. This reinforces the importance of threat intelligence, behavioral analytics, and far-space analytics.

Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange | What is Threat Intelligence?


Security Operations