CardinalOps Report: State of SIEM Detection Risk Highlights Mismatched Capabilities

CardinalOps recently released its State of SIEM Detection Risk report, shedding light on the current state of Security Information and Event Management (SIEM) systems. The report, which analyzed 3,000 detection rules and 1.2 million log sources, revealed that SIEMs only cover 19% of MITRE ATT&CK tactics, leaving a significant gap in security coverage.

Despite this finding, the report also highlighted that organizations have the potential to cover 87% of the techniques if utilized correctly. Key findings from the report include the increasing trend of multiple SIEM environments, with 43% of organizations now utilizing two or more SIEM systems. Additionally, 18% of SIEM rules were found to be broken, often due to missing fields and misconfigured data sources.

Security leaders in the industry weighed in on these findings, offering their insights and concerns. Adam Neel, Senior Threat Detection Engineer at Critical Start, expressed concerns over the complexity that multiple SIEM tools can bring, potentially leading to slower response times and misconfigured rules. Tamir Passi, Senior Product Director at DoControl, emphasized the gap between SIEM capabilities and actual detection coverage, advocating for purpose-built systems for improved detection. John Bambenek, President at Bambenek Consulting, highlighted the need for organizations to focus on foundational behaviors in detection rules rather than specific indicators.

Overall, the CardinalOps report serves as a wake-up call for organizations to reassess their SIEM strategies and ensure proper coverage of detection techniques to enhance their cybersecurity posture.