Millions Spent on SIEM/SOAR and Incidents are Still a Problem
In the last four years, average cybersecurity spending has increased from 13% to 21% of the IT budget. However, nearly 50% of companies reported an attack within the last year (73% experiencing multiple attacks) and only 9% said they were prepared adequately to defend with little to no business impact. Why isn't the effectiveness of cybersecurity programs meeting current challenges despite this significant increase in resourcing?
One of the biggest costs is the Security Operations Platform architecture, which includes the SIEM/SOAR as well as all the data sources for security telemetry (EDR, NGFW, Email Security, VM, and IAM providers). These architectures have become homogeneous and widely deployed. But, are the SIEM/SOAR platforms adding value commensurate to the investment?
There are likely two issues impacting the effectiveness of SIEM/SOAR solutions:
“On average 75% of default out-of-the box (OOB) rules provided by SIEM vendors are disabled, due to the difficulty of adapting generic rules to each organization’s unique infrastructure, log sources, naming conventions, and more.”
Attackers are increasingly aware of the security posture of their targets. In 2023, 40% of malware utilized defense evasion techniques.
What evasion techniques that attackers are utilizing? here are some statistics:
68% of attacks involve a human element or error (from the 2024 Verizon Breach Report)
11% of attacks utilized compromised credentials for initial access (Mandiant M-trends 2024)
Nearly 30% of attackers utilize techniques that included creating or modifying existing system processes (Mandiant M-trends 2024)
CrowdStrike noted 75% of their detections were malware-free, meaning the attacker used “Live-off-the-Land” (LotL) Techniques (CrowdStrike 2024 Global Threat Report)
IBM noted that 16% of their investigations identified stolen or compromised credentials, with an average of 292 days to identify the account compromised (IBM 2024 Cost of a Data Breach Report)
Mandiant notes that ~25% of the attacks they investigated included process injections (running in memory) (Mandiant M-trends 2024)
What does all of this mean for the Security Operations team and how a SIEM/SOAR should be employed?
First, the Security Operations team needs to have prioritize differently and focus:
To be discussed in future blogs…
Second, we need to expand the use of the SIEM beyond simply serving as a single pane of glass for all of the security tools. The SIEM must be supported by an analytics and detections team that can identify security control gaps and monitor for suspicious LotL behavior. LotL detections are not binary alerts, as many of the behaviors are also part of the IT team's operations and maintenance approach. Here are some statistics or metrics to consider in SIEM detection engineering for LotL techniques:
User Behavior Analytics (UEBA): Although tools can be bought to provide this, simple approaches to log-in times, locations, source systems or user-agent strings can be quickly implemented.
Compromise Credentials can be hard to identify but two approaches that can help are dark web monitoring and the UEBA analytics above.
Some Endpoint Detection and Response (EDR) tools provide mapping of execution paths, but many fall short in monitoring process memory space. IT operations tools can provide some insight into significant process memory utilization.
Threat Intelligence and a good Managed Detection and Response (MDR) can also provide significant insight into LotL techniques such as use of RDP applications, suspicious registry key value, and app data folders.
Outbound data flows and destinations can also be a suspicious indicator.
None of the above techniques are binary detections or alerts, this is where a seasoned team that understands the company's environment provides insight beyond the standard tool alerting.
