Anton Chuvakin, SIEM expert and former Gartner analyst (now at Google Chronicle) has written a thought-provoking blog post titled "SOC Threat Coverage Analysis — Why/How?".
In the post, he discusses:
- Why the detection coverage gap is so large at many organizations (broken log collectors, missing rules, etc.)
- Why just mapping to MITRE ATT&CK is insufficient on its own to fully operationalize MITRE ATT&CK in your SOC
- How to systematically improve threat coverage in your SOC
