Enterprise SIEMs Cover Only 19% of MITRE ATT&CK Techniques Used by Adversaries

News provided by

Jun 13, 2024, 09:00 ET

CardinalOps' fourth annual report analyzes real-world data from production SIEMs covering thousands of detection rules across diverse industry verticals

TEL-AVIV, Israel and BOSTON, June 13, 2024 /PRNewswire/ -- CardinalOps, the detection posture management company, today released its Fourth Annual Report on the State of SIEM Detection Risk. The report analyzes more than 3,000 detection rules, 1.2 million log sources and hundreds of unique log source types from real-world SIEM instances across Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic.

Using MITRE ATT&CK as the baseline, CardinalOps found that on average:

A lack of data is not what is holding SIEMs back – organizations have the potential to cover 87% of all MITRE ATT&CK techniques with the data they are already ingesting in their SIEM
Multiple SIEM environments are on the rise – 43% of organizations reported two or more SIEMs in productions
Nearly 1 in 5 SIEM rules are broken – 18% of SIEM rules will never fire due to a common issue like misconfigured data sources and missing fields
Detections are lagging current attack methods – enterprise SIEMs only have detections for 38 (19%) of the 201 techniques covered in the MITRE ATT&CK v14 framework

"These findings highlight the difficulty that organizations face in building and maintaining effective detection coverage," said Yair Manor, CTO and Co-Founder at CardinalOps. "Security teams continue to struggle with getting the most out of their SIEM and worse, often falsely believe that they are protected when in reality they are at great risk."

To help organizations address their detection challenges, the 2024 CardinalOps report also includes a series of best practices to help SOC teams measure and continuously improve the robustness of their detection posture over time. You can download the full report here.

About CardinalOps

The CardinalOps platform is powered by automation and MITRE ATT&CK to continuously assess and strengthen the detection coverage of your existing SIEM and other detection tools to enable a smarter, more resilient defense.

It improves detection engineering productivity by more than 10x and integrates with your existing tools including Splunk, Microsoft Sentinel, IBM QRadar, Google SecOps (formerly Chronicle), CrowdStrike LogScale, and Sumo Logic Log Analytics.

The platform automatically audits an organization's readiness to defend against the most used and dangerous attack methods utilized by malicious actors as laid out in the MITRE ATT&CK framework. With CardinalOps, organizations can close critical security gaps, optimize their security techniques and gain comprehensive visibility into their detection posture.

Learn more at cardinalops.com.

Media Contact:
Nathaniel Hawthorne
(661) 965-0407
[email protected]

SOURCE CardinalOps