Enterprise SIEMs are detecting only 21 percent of threat techniques

Enterprise security information and event management (SIEM) tools miss 79 percent of the MITRE ATT&CK techniques used by adversaries, according to a new report.

The study from CardinalOps draws on an expansive dataset of 2.5 million total log sources, over 23,000 distinct log sources, more than 13,000 unique detection rules and hundreds of production SIEM environments, and finds that a significant portion of existing detection rules -- 13 percent on average -- are non-functional and will never trigger due to issues such as misconfigured data sources and missing log fields.

SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90 percent of MITRE ATT&CK techniques (an increase of three percent from 2024) -- but manual, error-prone detection engineering practices continue to limit actual coverage.

Despite the scale of available data and detection infrastructure, organizations are still struggling to keep pace with evolving threats due to resource constraints and a lack of automation in rule development and validation.

"Five years worth of data tells a stark story: organizations are sitting on a mountain of data but
still lack the visibility needed to detect the threats that matter most," says Michael Mumcuoglu,
CEO and co-Founder of CardinalOps. "What's clear is that the traditional approach to detection
engineering is broken. Without being able to leverage AI, automation, and continuous
assessment of detection health, enterprises will remain dangerously exposed -- even with
modern SIEM platforms and sophisticated telemetry."

You can get the full report from the CardinalOps site.

Image credit: designer491/depositphotos.com