SIEM detection failures and mitigation strategies identified in Picus Blue Report 2025
Summary
Hide β²
Show βΌ
The Picus Blue Report 2025, based on 160 million attack simulations, reveals that organizations detect only 1 out of 7 simulated attacks. This highlights critical gaps in threat detection and response, primarily due to log collection failures, misconfigured detection rules, and performance issues. These factors create blind spots, allowing attackers to compromise sensitive systems, escalate privileges, or exfiltrate data undetected. The report identifies three main issues: log source coalescing, unavailable log sources, and delayed implementation of cost-effective test filters. Continuous validation of SIEM rules is crucial to maintain their effectiveness against evolving threats. Organizations must regularly test and tune their SIEM rules to ensure they can detect and prevent modern attacks.
Timeline
-
25.08.2025 14:50 π° 1 articles Β· β± 22d ago
Picus Blue Report 2025 reveals critical gaps in SIEM detection capabilities
The Picus Blue Report 2025, based on 160 million attack simulations, identifies significant gaps in SIEM detection capabilities. The report highlights that organizations detect only 1 out of 7 simulated attacks, primarily due to log collection failures, misconfigured detection rules, and performance issues. These factors create blind spots, allowing attackers to compromise sensitive systems undetected. The report emphasizes the need for continuous validation of SIEM rules to maintain their effectiveness against evolving threats.
Show sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
Information Snippets
-
SIEM systems detect only 1 out of 7 simulated attacks, indicating significant gaps in threat detection.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
-
50% of detection rule failures are due to log collection issues.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
-
13% of rule failures are attributed to misconfigurations, including incorrect thresholds and poorly defined reference sets.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
-
24% of detection failures are related to performance problems, such as resource-heavy rules and inefficient queries.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
-
Log source coalescing, unavailable log sources, and delayed implementation of cost-effective test filters are the most common log collection issues.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
-
Continuous validation of SIEM rules is essential to maintain their effectiveness against evolving threats.
First reported: 25.08.2025 14:50π° 1 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations β thehackernews.com β 25.08.2025 14:50
Similar Happenings
Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Storm-0501 Ransomware Campaign Targets Multicloud Environments
In late 2024, the threat group Storm-0501 compromised hybrid cloud environments across multiple sectors, including government, manufacturing, transportation, law enforcement, schools, and healthcare. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments, aiming to generate revenue through a ransomware affiliate scheme. The campaign highlights the challenges organizations face in maintaining consistent security postures across multicloud environments. Over 75% of companies use two or more cloud providers, and many expose high-value assets to potential attacks due to inconsistent identity and access controls. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across multicloud environments. In August 2025, Microsoft detailed a recent attack where Storm-0501 employed cloud-based ransomware tactics, exploiting cloud privilege escalation and visibility gaps. The attack targeted a large enterprise with multiple subsidiaries, each with separate but interconnected Microsoft Azure cloud tenants, demonstrating the group's evolving tactics and the need for robust security measures. Storm-0501 has been observed exploiting Entra ID to exfiltrate and delete Azure data in hybrid cloud attacks, using cloud-native capabilities to exfiltrate data, destroy backups, and demand ransom without deploying traditional malware.