CardinalOps, provider of an AI-powered Threat Coverage Optimization Platform, unveiled new independent research which highlights dramatic failures within the enterprise Security Information and Event Management (SIEM) of the Fortune 1000. 

Organizations invest more than $3 billion annually on SIEM software and expect this investment to result in comprehensive threat coverage. However, an analysis of live SIEM deployments across select CardinalOps customers in multiple industry verticals, including healthcare and financial services, reveals that the threat coverage remains far below what organizations expect and what SIEM and detection tools can provide. Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they get in practice, creating a false impression of their security posture. Nine out of ten of customers surveyed represent multibillion dollar, multinational corporations – making this one of the largest recorded samples of actual SIEM data analyzed to date.

“Buying security technologies seems to be a much easier task than utilizing them and 'operationalizing' them for many organizations,” said Anton Chuvakin, Security Solution Strategy, Google Cloud and former Research Vice President and Distinguished Analyst at Gartner. “In fact, there is a lot more guidance on 'Which tool to buy?' and 'How to buy security right?' than on how to actually make use of the tool in a particular environment.”

Many of the rules and policies organizations currently have in place are ineffective. CardinalOps research data shows that an average of 25% of SIEM rules are broken and will never fire, primarily due to fields that are not extracted correctly or log sources that are not sending the required data. However, organizations are completely unaware that these rules are not functioning. Additionally, only 15% of SIEM rules lead to 95% of the tickets handled by the Security Operations Center (SOC), demonstrating that a small percentage of noisy rules overwhelm SOC analysts with distracting false positive (FP) alerts.

The SIEM system is typically the centerpiece of the SOC, tasked with detecting and responding to attacks that circumvent an organization’s threat prevention layer. The most revealing data point in the latest CardinalOps research finds that, on average, a SIEM deployment has rules associated with only 16% of the techniques listed in the MITRE ATT&CK framework, an industry-standard catalog of tactics, techniques and procedures used by attackers. Considering that multiple rules may be required to fully cover a particular attack technique, the actual MITRE coverage of the average SIEM deployment is even less.

“While it is commonly known that most SIEM deployments are ineffective, this new research validates beyond a doubt the truly poor efficacy of the average SIEM deployment,” said Yair Manor, CTO, CardinalOps and principal author of the research study. “If organizations are going to be successful moving forward, it is critical they learn how to optimize their existing security tools and that first comes from better understanding the threat coverage currently in play.”

For detailed findings, please visit https://www.cardinalops.com/siem-industry-research-report