top of page

CardinalOps Report Finds Poor SIEM Configuration Leaves Organizations at High Risk

CardinalOps, pioneer of the industry’s first AI-powered Threat Coverage Optimization Platform, today unveiled new independent research which highlights dramatic failures within the enterprise Security Information and Event Management (SIEM) of the Fortune 1000.

Organizations invest more than $3 billion annually on SIEM software and expect this investment to result in comprehensive threat coverage. However, an analysis of live SIEM deployments across select CardinalOps customers in multiple industry verticals, including healthcare and financial services, reveals that the threat coverage remains far below what organizations expect and what SIEM and detection tools can provide. Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they get in practice, creating a false impression of their security posture. Nine out of ten of customers surveyed represent multibillion dollar, multinational corporations – making this one of the largest recorded samples of actual SIEM data analyzed to date.

“Buying security technologies seems to be a much easier task than utilizing them and 'operationalizing' them for many organizations,” said Anton Chuvakin, Security Solution Strategy, Google Cloud and former Research Vice President and Distinguished Analyst at Gartner. “In fact, there is a lot more guidance on 'Which tool to buy?' and 'How to buy security right?' than on how to actually make use of the tool in a particular environment.”

Many of the rules and policies organizations currently have in place are ineffective. CardinalOps research data shows that an average of 25 percent of SIEM rules are broken and will never fire, primarily due to fields that are not extracted correctly or log sources that are not sending the required data. However, organizations are completely unaware that these rules are not functioning. Additionally, only 15 percent of SIEM rules lead to 95 percent of the tickets handled by the Security Operations Center (SOC), demonstrating that a small percentage of noisy rules overwhelm SOC analysts with distracting false positive (FP) alerts.

The SIEM system is typically the centerpiece of the SOC, tasked with detecting and responding to attacks that circumvent an organization’s threat prevention layer. The most revealing data point in the latest CardinalOps research finds that, on average, a SIEM deployment has rules associated with only 16 percent of the techniques listed in the MITRE ATT&CK framework, an industry-standard catalog of tactics, techniques and procedures used by attackers. Considering that multiple rules may be required to fully cover a particular attack technique, the actual MITRE coverage of the average SIEM deployment is even less.

“While it is commonly known that most SIEM deployments are ineffective, this new research validates beyond a doubt the truly poor efficacy of the average SIEM deployment,” said Yair Manor, Co-Founder and CTO, CardinalOps and principal author of the research study. “If organizations are going to be successful moving forward, it is critical they learn how to optimize their existing security tools and that comes from better understanding the threat coverage currently in play.”

To download a copy of the research, please visit

About the Data Presented

The research data represents an aggregated, anonymized summary of ten select CardinalOps customers. All but one of these selected customers are multi-billion dollar, multinational corporations representing numerous industry verticals, including healthcare, media, financial services, hospitality and beverages. The aggregate data was collected directly from these customers’ SIEM systems and related IT tools.

About CardinalOps CardinalOps was founded to bring AI-based analytics and automation to critical security engineering functions to ensure comprehensive threat coverage by SIEM and SOC tools. The CardinalOps Threat Coverage Optimization (TCO) Platform quantifies and enumerates the gap that exists between theoretically optimum threat coverage, represented by the MITRE ATT&CK framework, and actual threat coverage, measured by actual SIEM and SOC tool configurations. The TCO Platform was built to close that Threat Coverage Gap by providing real-time configuration change and misconfiguration fix recommendations that are unique to each organization's capabilities and threats. CardinalOps was founded in 2020 by a team of cybersecurity veteran entrepreneurs, is backed by blue-chip investors, and is based in Silicon Valley and Israel. For more information, please visit:



bottom of page