In this second annual report, CardinalOps analyzed aggregated and anonymized data from production SIEM instances to understand SOC preparedness to detect the latest adversary techniques in MITRE ATT&CK. This is important because detecting malicious activity early in the intrusion lifecycle is a key factor in preventing material impact to the organization.
The analysis shows that actual detection coverage remains far below what most organizations expect, and that many organizations are unaware of the gap between their assumed theoretical security and the defenses they actually have in place.
The data set for this analysis spanned diverse SIEM solutions – including Splunk, Microsoft Sentinel, and IBM QRadar – encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types.