Follow Datanami:
June 14, 2024

CardinalOps Report Shows Enterprise SIEM Tools Are Underperforming In Cyberthreat Detection


In its Fourth Annual Report on the State of SIEM Detection Risk, CardinalOps, an AI-powered security engineering startup, found that Security Information and Event Management (SIEM) tools contain giant blind spots, compromising the ability of an enterprise to detect cyber threats.

The report analyzed real-world data from production SIEM instances to gain a better understanding of the current state of use case development and threat detection coverage across enterprise SOCs. The production SIEMs analyzed in the report included IBM QRadar, Sumo Logic, Microsoft Sentinel, and Splunk. 

Analyzing real-world data from production SIEMs covering 3000 detection rules across diverse industry verticals and 1.2 million log sources from major SIEMS, the study found that the tools only covered 19% of the MITRE ATT&CK techniques. 

According to CaridinalOps, the data that is collected by the SIEM tools could potentially cover up to 87% of all attack techniques, so it is not a data problem. Enterprises have access to all the data they need to minimize the attack surface. However, enterprises have been unable to use this data to improve threat detection. 

“These findings highlight the difficulty that organizations face in building and maintaining effective detection coverage,” said Yair Manor, CTO and Co-Founder at CardinalOps. “Security teams continue to struggle with getting the most out of their SIEM and worse, often falsely believe that they are protected when in reality they are at great risk.”


The MITRE ATT&CK, which was used as a baseline for this study, is an industry-standard framework for understanding adversary playbooks and behavior. The latest MITRE ATT&CK framework covers 201 techniques, but the enterprise SIEMs tested in this study have detections for only 38 of them.

Based on the SIEM rules analyzed in the report, nearly 1 in 5 SIEM rules are broken due to issues such as missing fields or misconfigured data sources. This means that these SIEM rules won’t trigger security alerts, leaving possible threats undetected.

The data from the CardinalOps study shows that the average enterprise has over 130 different security tools ranging from endpoint solutions to email authorizations. Multiple SIEM environments are on the rise, with more than 2 in 5 enterprises having two or more SIEM tools in production. 

The complexity of using multiple tools could be one reason for the gap between the expected coverage and the actual coverage. According to CardinalOP’s analysis of the report data, having a multitude of security tools can make it more challenging to keep track of each tool’s alerts, event types, and log formats, which are essential to establish unique detection for each. 


The findings of the report also highlight that when it comes to SIEM detections, there is no standard or universal approach that works for all enterprises. Every organization has its unique characteristics and this influences how the SIEM tools need to be configured and used. 

The characteristics that need to be considered include information technology environments, team structures, regulatory requirements, and the organization’s unique SIEM processes. Customization is crucial for maximizing the effectiveness of the tools and improving the overall cybersecurity posture.

The CardinalOps report highlights that the gap between SIEM tools’ capabilities and the actual coverage is a critical issue in the cybersecurity landscape. While SIEM tools offer excellent versatility, there is a need for specialized tools, such as SaaS Security Posture Management and Cloud Security Posture Management. These tools can help an enterprise address the unique cybersecurity challenges of their specific environment. 

Related Items 

Elastic Enhances Security Operations with AI-Assisted Attack Discovery and Analysis

Exabeam Introduces New-Scale SIEM

Exabeam and IDC Study Reveals 57% of Companies Face Major Security Incidents with North America and Western Europe Most Affected