How Sigma Rules Can Help Address the Cybersecurity Skills Shortage

A global study by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) shows that the alarming cybersecurity skills shortage problem raged on for the fifth consecutive year in 2021. This skills shortage, which affects 57 percent of organizations, has resulted in increasing workloads for cybersecurity teams, unfilled cybersecurity job vacancies, and high burnout levels among cybersecurity team members.

A relatively new tool for cybersecurity teams called Sigma rules offers a mitigation option for the skills crisis. It may not completely eliminate the issue, but it can provide a significant contribution in giving teams breathing room as they deal with the serious impact of not having enough people to address aggressive and evolving cyber threats.

Sigma Rules Overview

Sigma rules are textual signatures designed to facilitate the detection of anomalies and suspicious activities in log events. Written in YAML, it is similar to YARA in serving as a tool for sharing threat detection information. What makes it different, though, is that it focuses on SIEM instead of network traffic and files. Sigma rules are mainly aimed at detecting log events that match certain criteria specified by the SOC engineer. This function is essential in enabling automated responses for incident detection and response systems.

The biggest benefit of using Sigma rules is their standardized format. The Sigma Rule format supplants the formats or languages used by vendor-specific SIEM platforms. This advantage is important in the context of overworked and burned-out cybersecurity teams due to the lack of qualified members.

The concept of Sigma rules was introduced in 2017. It was developed by detection engineer Florian Roth and open-source security tool developer Thomas Patzke. Roth also developed the THOR APT Scanner, which is a full-featured YARA and IOC scanner built to automate the assessment of security breaches. Patzke has been active in incident response and threat hunting activities, and he notably contributed to the profiling of Log4Pot vulnerability (CVE-2021-44228).

Addressing the Skills Shortage Problem

One of the highlight features of Sigma rules is their standardized format for the sharing of detection information. This is crucial because it allows teams to write the rules once and apply them across different SIEM solutions. There is no need to rewrite rules for different SIEM operations, which means significantly greater efficiency.

For example, if the team has already written a Sigma rule for the Azure Sentinel SIEM tool, using the same rule in Splunk does not necessitate the rewriting of the code from scratch. The Sentinel code can be automatically translated into a code that works for Splunk. This is possible because Sigma rules are open-sourced. Once rules have been written in the Sigma rules format, these rules become available or useful to everyone, even if they are using different SIEM tools.

Adopting Sigma rules significantly reduces the tasks of those involved in security information and event management operations. This means a lower likelihood for security teams to be overwhelmed by the amount of tasks and cases of burnout. While companies are still searching for more qualified SOC engineers to add to the team, existing SOC engineers can already reduce their workload by using Sigma rules.

Learning how to write Sigma rules is remotely challenging. The Sigma Rules creation guide has a rule creation template that anyone can use to get started. However, it is also important to get acquainted with the common rules of writing mistakes, like using prefixes in titles, having fewer than 50 characters for the alert name, improper use of the backslash, and not observing the title case.

Pre-Written Sigma Rules

Adopting Sigma rules can improve SIEM operations efficiency even further with the help of off-the-shelf Sigma rules. These are rules pre-made by security solution providers based on the threat detection information they have compiled over time.

SOC engineers write their threat detection rules according to the information they obtain from various sources, from threat intelligence databases to updates from adversarial tactic detection frameworks like MITRE ATT&CK. Such information is continuously accumulated by security validation or security posture management platforms, so it would be inexpedient not to take advantage of the readily available details to facilitate the rapid automatic writing of rules to be made available to SOC teams everywhere.

This pre-writing of Sigma rules can remove the need for a SOC engineer to write rules. They may only have to occasionally evaluate the automatically generated rules or conduct audits to check if the rules are written correctly and if they are serving their intended purpose.

Traditional threat detection rules writing takes up a significant portion of the time SOC engineers spend at work. They inevitably have to write rules repeatedly for every new threat discovered. It is a tedious and time-consuming process a few SOC engineers would find extremely difficult to handle. The SOC team would need more hands to ensure that rules are accurately and promptly written to keep up with the turnout of new vulnerabilities and cyberattacks. Sigma rules and pre-written Sigma rules palpably ease the burden SOC teams have to deal with. 

Other Benefits of Sigma Rules

Indirectly, Sigma rules help improve the cybersecurity community by providing cyber threat researchers and intelligence an agnostic way to share their threat detection information. This removes the need for security engineers to go through the process of converting (for other platforms) the rules they write or the writing of a report on new threat detections.

Independent security researchers will also be empowered to share their detection data. By using the standardized Sigma rules format, they immediately become part of the global cybersecurity research community that relies on open-source information.

Using Sigma rules also benefits MSSPs and MDRs that handle multiple SIEM, endpoint detection, response, and log analytics platforms and data taxonomies or schemas. It also eliminates the inconvenience of vendor lock-ins, which force organizations to continue using specific proprietary tools because all their data have been recorded and kept in a proprietary format. Hence, it becomes too inconvenient to switch to other options.

Again, Sigma rules are not the solution for the persistent cybersecurity skills shortage problem being experienced around the world. The issue requires a holistic approach involving educational institutions, the cybersecurity industry, and businesses. However, Sigma rules provide real benefits that lighten the workload of SOC engineers and help them bear the overwhelming amount of work until more security engineers are recruited and deployed.