Cybersecurity marketing information may not describe accurately cybersecurity capabilities. News to you?
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
20 May 2022 (Krakow, Poland) – Gee, I have had a sneaking suspicion that cybersecurity vendors are prone to exaggerating the capabilities of their systems.
I sit in a lot of cybersecurity webinars in which I hear about the “exploit of the day”. I scan newsfeeds to learn that each cybersecurity and threat intelligence experts announce with considerable confidence their strategy for defending against a certain exploit. Why don’t other cybersecurity vendors announce the same exploit? Each vendor, it appears to me, finds something unique to explain and then neutralize … and always after the fact. Our cyber team receives dozens of news releases about cybersecurity, threat detection, and ransomware gangs – each with a separate vulnerability, it seems.
I just read a piece in VentureBeat entitled “Report: 80% of Cyberattack Techniques Evade Detection by SIEMs” which highlights a contrarian report from an outfit named CardinalOps. You can learn more about the company at this link.) This company, founded in 2020, is involved in the security information and event management business. The acronym is SIEM, and it is bandied about with considerable abandon as a “must-know” acronym in the cybersecurity trade.
The VentureBeat article describes some of the information in the CardinalOps monograph called “The State of SIEM Detection Risk: Quantifying the Gaps in MITRE ATT&CK Coverage for Production SIEMs”. The catchy MITRE ATT&CK refers to an MIT Research activity (now MITRE). Here’s how the information is described by MITRE:
a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
With all the jargon now out of the way, I want to highlight this passage from the article:
enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.
What the CardinalOps monograph seems to say to me is: “The cybersecurity vendors’ software and systems don’t work as they advertise.”
If I interpret the VentureBeat article correctly, the story ventures into territory avoided by most of those involved in cybersecurity. Criticizing the dozens, nay, hundreds of cyber defense companies and their services has been a no-no in my experience. Outfits which purport to review these systems rarely suggest that out of a hundred threats, about four out of five will zip right through the defenses.
Is this the way some upscale consultants suggest using “layers of security”? What that phrase means to me: “License lots of systems and maybe the combination will stop threats”. The implication is that if one system is only 20 percent effective … and my understanding is that each cybersecurity vendor has some method to stop stuff their experts have identified … then the average company only requires five systems running at the same time to reduce risks.
The VentureBeat article about the CardinalOps report offers:
Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.
Okay, some hard data … not that soft porn podcast-grade chatter.
So what’s the fix if you are using popular systems from outfits like the lovable outfit Microsoft which we all use, the firm which just shipped an update … that breaks domain security? The article states:
The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time.
I think this means … get some cybersecurity consultants on board? No surprise there.
To get a copy of the full report, click here and amp up your fear. Email and captcha hoops are required. You know, for security purposes.
BOTTOM LINE? Marketing information may not describe accurately cybersecurity capabilities. You need to dig, research, do your own cyber thinking. Is this news to anybody?
