2022 Report on the State of SIEM Detection Risk — CardinalOps-2

On average, enterprise SIEMs only cover 5 of the top 14 MITRE ATT&CK techniques used by adversaries in the wild.

Only 5 of the top 14 – think about that. That means they miss two-thirds of common adversary techniques.

Why? Insufficient breadth of rules, log source configuration errors, broken log collectors, and noisy rules all contribute to poor ATT&CK coverage in the average SIEM.

Learn more by reading this data-driven report based on configuration data collected from a range of production SIEM instances (Splunk, Microsoft Sentinel, IBM QRadar, etc.) encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types.

Trusted by Global SOCs

Manufacturer
Top 10 CPG Manufacturer
Private-Equity-Firm
Top 10 Private Equity Firm
Cable-Operator
Top 10 Cable Operator
Casino-Company
Top 10 Casino Company
Money-Transfer-Firm
Top 10 Money Transfer Firm
US-Law-Firm
Top 10 US Law Firm
MDR-Provider
Top 15 MDR Provider
Freight-Logistics-Firm
$3B Freight Logistics Firm
Cosmetics-Company
Top 20 Cosmetics Company

Addressing operational challenges in maintaining effective detections

complex-icon

Complexity

Constantly increasing number of log sources, attack vectors, and correlation rules

dynamic-icon

Constant change

Your infrastructure, business priorities, and attack surface are constantly changing

variable-icon

No "one-size-fits-all"

Every enterprise is unique, making it impractical to copy-and-paste generic detection content

manual-icon

Manual processes

Manual and error-prone use case development make it difficult to effectively scale

“Buying security technologies seems to be much easier than operationalizing them for many organizations. In fact, there is a lot more guidance on 'Which tool to buy?' than on how to fully utilize a tool in a particular environment.”
- Anton Chuvakin, Google Chronicle / Former Gartner Research VP and Distinguished Analyst

Increasing the effectiveness of your tools and your team

threat-coverage-icon
Threat coverage gap analysis
  • Automatically identify:
    • Actual coverage vs. MITRE ATT&CK®
    • Missing, broken & noisy rules
    • Missing & incomplete log sources
  • Independent metric helps answer the question "How effective are we?" and drive continuous improvement
org-specific-icon
Organization specific recommendations
  • Crown jewel assets
  • Industry-specific threats
  • Log-source priorities
  • New vulnerabilities
  • New initiatives (e.g., multi-cloud)
safe-deployment-icon
Safe automated deployment
  • Simple 30-minute API integration
  • 1-click deployment of new & remediated rules
  • Visualize impact of changes before & after deployment
  • Inspired by DevOps & agile methodologies