Freely subscribe to our NEWSLETTER

Organizations invest more than $3 billion annually on SIEM software and expect this investment to result in comprehensive threat coverage. However, an analysis of live SIEM deployments across select CardinalOps customers in multiple industry verticals, including healthcare and financial services, reveals that the threat coverage remains far below what organizations expect and what SIEM and detection tools can provide. Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they get in practice, creating a false impression of their security posture. Nine out of ten of customers surveyed represent multibillion dollar, multinational corporations – making this one of the largest recorded samples of actual SIEM data analyzed to date.

“Buying security technologies seems to be a much easier task than utilizing them and ’operationalizing’ them for many organizations,” said Anton Chuvakin, Security Solution Strategy, Google Cloud and former Research Vice President and Distinguished Analyst at Gartner. “In fact, there is a lot more guidance on ’Which tool to buy?’ and ’How to buy security right?’ than on how to actually make use of the tool in a particular environment.”

Many of the rules and policies organizations currently have in place are ineffective. CardinalOps research data shows that an average of 25 percent of SIEM rules are broken and will never fire, primarily due to fields that are not extracted correctly or log sources that are not sending the required data. However, organizations are completely unaware that these rules are not functioning. Additionally, only 15 percent of SIEM rules lead to 95 percent of the tickets handled by the Security Operations Center (SOC), demonstrating that a small percentage of noisy rules overwhelm SOC analysts with distracting false positive (FP) alerts.

The SIEM system is typically the centerpiece of the SOC, tasked with detecting and responding to attacks that circumvent an organization’s threat prevention layer. The most revealing data point in the latest CardinalOps research finds that, on average, a SIEM deployment has rules associated with only 16 percent of the techniques listed in the MITRE ATT&CK framework, an industry-standard catalog of tactics, techniques and procedures used by attackers. Considering that multiple rules may be required to fully cover a particular attack technique, the actual MITRE coverage of the average SIEM deployment is even less.

“While it is commonly known that most SIEM deployments are ineffective, this new research validates beyond a doubt the truly poor efficacy of the average SIEM deployment,” said Yair Manor, Co-Founder and CTO, CardinalOps and principal author of the research study. “If organizations are going to be successful moving forward, it is critical they learn how to optimize their existing security tools and that comes from better understanding the threat coverage currently in play.”