Identifying and Mitigating Common Issues in Detection Rule Effectiveness Through Validation

The Red Report 2024

Defend Against the Top 10 MITRE ATT&CK TTPs

DOWNLOAD

Detection rules are the backbone of modern Security Operations Centers (SOCs), serving as the eyes and ears for threat detection and response. However, ensuring these rules function as intended can be challenging. Many SIEM systems lack advanced validation mechanisms, resulting in undetected threats and a false sense of security. In our research for the Blue Report 2024, we identified the most common issues affecting the effectiveness of detection rules within SIEM systems. 

This blog will discuss these findings, highlighting how our research—derived from simulations across organizations in various sectors and regions—reveals that the problem of SIEM effectiveness is not unique but widespread, and why detection rule validation is critical for maintaining a robust security posture in your organization.

Understanding the Picus Blue Report 2024

To fully appreciate the findings we’re about to introduce, it’s important to first understand the significance of the Blue Report 2024.

So, What Exactly Is the Blue Report 2024?

The Blue Report is an annual study by Picus Labs, offering insights based on over 136 million attack simulations conducted by Picus Security customers from January to June 2024 on The Security Validation Platform. This year's report stands out by including data from the Detection Rule Validation (DRV) product, which provides a more in-depth analysis of organizations’ effectiveness of detection rules in SIEM systems.

Why Focus on Findings from Detection Rule Validation (DRV)?

While the Blue Report encompasses a wide range of simulation data, this blog focused on the findings from the DRV. We believe these results demand critical attention as it uncovers the most prevalent and severe issues in detection rules within SIEM systems. These issues pose significant security risks, making it crucial to address them before they lead to potentially impactful breaches.

Common Issues Affecting Detection Rule Effectiveness

In this section, we’ll explore common issues that affect detection rule effectiveness. We'll focus on critical issues like log source consolidation, log source availability, and performance-related challenges. 

The most common issue we found was Improper Log Source Consolidation, affecting 23% of the study’s cases. This problem occurs when event coalescing is enabled, which is a process that combines similar log entries into a single record to reduce log volume. While this can be useful, it often affects critical log sources such as DNS systems, proxy servers, Windows servers, and endpoints. The downside is that this consolidation can lead to data loss, as detailed information from individual events might get omitted. Disabling event coalescing can solve this issue by preserving all log details, but it can also lead to increased system load and higher storage requirements, as more data will be logged in its entirety.

detection-rules-effectiveness

Figure 1. Common Issues Affecting Detection Rule Effectiveness, Identified by Picus DRV.

Log source availability issues also stood out, with Broken Log Source and Unavailable Log Source errors appearing in 5% and 10% of cases, respectively. Both issues are considered highly critical. Unavailable Log Source problems occur when log sources stop sending logs, which can happen due to network disruptions, failures in log collection services, or configuration issues. When logs aren’t being received, essential data for monitoring and threat detection is lost.

On the other hand, Broken Log Source issues arise when log sources are disabled or misconfigured, meaning they are not generating logs at all. This can render related detection rules ineffective, as the rules rely on logs that are no longer being produced. In both cases, the ability to generate alerts is significantly diminished, leaving organizations at risk of undetected threats and potential security breaches.

Performance-related problems were another critical area we identified, and though individually, they were relatively uncommon, they collectively made up a substantial portion of our observed issues. Unfiltered Log Analysis, found in 8% of cases, degrades system performance by examining large volumes of logs without proper filters. Broad Custom Property Definition (7%) and Absence of Log Source Filters (6%) both also contribute to unnecessary resource consumption and decreased system efficiency. Similarly, Wide Time Range Parameters (5%) and queries that do not start with Default Fields (4%) delay response times and negatively impact performance. Free Text Search (3%), another performance-related issue, further strains resources and slows system operations.

Lastly, a notable configuration issue, Empty Reference Set, was identified in 4% of cases. This high-criticality problem occurs when reference sets used within rules are empty or not dynamically updated, leading to malfunctioning rules and again, potential security gaps.

Common Issue Types in Detection Rules

Having discussed the common issues that impact detection rule effectiveness, let's now explore the specific types of problems that frequently arise in detection rules. As highlighted earlier, these insights are drawn from the Picus DRV dataset, which provides a continuously updated checklist of over 50 common issues in detection rules.

The data reveals the diverse challenges involved in maintaining effective detection rules within SIEM systems. Notably, log collection issues account for 38% of these challenges, followed closely by performance-related problems at 33%. Additionally, other issues, such as configuration errors, make up 29% of the cases. 

picus-detection-rule-validation

Figure 2. Common Issues Types in Detection Rules, Identified by Picus DRV.

These statistics emphasize the critical importance of ongoing testing, fine-tuning, and regular updates to your security rules to ensure they perform optimally and maintain a strong security posture. By proactively addressing these common issues, security teams can greatly enhance the efficiency and reliability of their detection systems.

This is where DRV becomes crucial. By leveraging DRV, security teams can not only identify and address issues related to log source consolidation, availability, and performance but also gain deep insights into the overall health and effectiveness of their detection rules. 

How Does Detection Rule Validation Help You?

At Picus, we advocate for a proactive approach to rule validation, fully recognizing that this is essential for modern SOC teams to stay ahead of an increasingly sophisticated threat landscape. This proactive approach should involve not only identifying and eliminating redundant or obsolete rules but also refining incomplete or ambiguous use cases to make sure that right rules are in place and that alerts are triggered for critical security events.

Picus DRV simplifies this process by enabling security teams to quickly identify and resolve issues with detection rule performance and hygiene. By providing a comprehensive framework, DRV helps optimize threat detection and response capabilities, ensuring that detection rules are not just functional but also well-aligned with the evolving threat landscape. This reduces the effort required to maintain these rules while significantly enhancing the effectiveness of the SOC.

Figure 3. Picus Detection Rule Validation (DRV)

Conclusion

As we review our findings, it becomes evident that the effectiveness of detection rules is crucial to a SOC team's ability to respond to threats. The Blue Report 2024 makes it clear: standing still is not an option, without proactive maintenance and optimization, detection rules can quickly become ineffective, leaving organizations vulnerable to undetected threats.

In conclusion, the Blue Report 2024 calls for action: organizations must prioritize the continuous validation and optimization of their detection rules. Leveraging tools like Picus DRV is not just beneficial—it’s essential for ensuring that detection systems remain robust and capable of protecting against sophisticated cyber threats. By doing so, security teams can significantly enhance their threat detection and response capabilities, ensuring their organizations are well-protected in an increasingly complex digital landscape.