More Than Half of SIEM Users are Unsatisfied with the Intelligence They Get from the Tool

New Research from Cyphort and Ponemon Institute Shows that Organizations Value SIEMs but Want a More Productive Security Platform

SANTA CLARA, Calif., March 01, 2017 (GLOBE NEWSWIRE) -- Cyphort Inc., the Adaptive Detection Fabric (ADF) company, today released new research conducted by the Ponemon Institute, “Challenges to Achieving SIEM Optimization”, which examines issues and attitudes from SIEM users in 559 large organizations across the United States. According to the study, 76 percent of respondents value their SIEM as a strategically important security tool. Only 48 percent, however, were satisfied with the actionable intelligence they get from their SIEMs.

“The root of their dissatisfaction seems to be related to the complexity of the SIEM itself,” explained Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In fact, 75 percent of respondents said there is significant, or very significant, effort involved in configuring their SIEM for their organization. Obviously, this complexity can make it very difficult to extract the value they want and need.” The issue of complexity was also evident in the total cost of ownership for SIEM solutions.

According to the research, only 25 percent of total SIEM cost is related to the initial purchase of the software.  The remaining 75 percent of the cost is for installation, maintenance and staffing. Surprisingly, 78 percent of the organizations surveyed have one or less full-time staff assigned to SIEM administration, and yet 64 percent or organizations pay more than $1 million annually for external consultants and contractors to assist with SIEM configuration and management. “This data also indicates that the demand for trained security analysts exceeds the supply of skilled talent available to fill these positions,” added Dr. Ponemon.

User dissatisfaction and general frustrations were evident in these other key findings as well:

  • The SIEM is too “noisy” – 54 percent of users agree that their SIEM generates too much low level data and too many alerts, making it difficult to focus on what matters most.
  • Better identity context is desired – 61 percent want to understand the specific users and devices associated with security events reported by the SIEM.
  • More trained staff is needed – 68 percent say their SIEM is useful, but would need additional staff to maximize its value.
  • Improvements in alerts – 70 percent want their SIEM to generate fewer alerts that are more accurate, prioritized and meaningful.
  • SIEM users want more automation – 71 percent want to automate certain SIEM-generated tasks, so that response teams can focus on priorities.

Despite issues of complexity and staffing challenges, 84 percent of respondents said their SIEM is important, very important or essential to their incident respondent process. This reinforces the fact that the SIEM is strategically important to their businesses. Unfortunately, the performance of the SIEM as a security tool falls short of user expectations – specifically in terms of minimizing the dwell time of advanced threats that have penetrated the network. The research revealed that for 65 percent of organizations, the SIEM’s discovery of a compromise can take hours, days, weeks or even months.

“The research data from the Ponemon Institute is consistent with the feedback we’ve been hearing from many organizations across the US in terms of the problem with SIEMs,” said Franklyn Jones, Cyphort chief marketing officer.  “The quantity of data is too high, while the quality of the data is too low. And there is inadequate staff to minimize that noise and maximize the underlying value.”

To address these growing pain points, Cyphort has integrated powerful security analytics capabilities into its open ADF, a distributed software security layer for advanced threat defense.  The ADF is able to ingest, correlate and analyze data from multiple sources in the network, then provide security analysts with a consolidated timeline view of prioritized security incidents – often in as little as 15 seconds. In addition, the ADF can assist incident response teams by providing “one touch” threat mitigation, including policy updates to in-line security tools.

Cyphort and the Ponemon Institute will present complete findings and analysis of this research, as well as an overview of the ADF, during a webinar on March 14 at 10:00 a.m. PT.  To register for this event, click here.  All webinar attendees will receive a full copy of the research report.  See also:

About Cyphort
Cyphort, Inc. is a security software company providing mid- and large-size organizations with the innovative Adaptive Detection Fabric, a scalable platform combining advanced threat defense with security analytics.  The solution is built with an open architecture that integrates with existing security tools to discover and contain the advanced threats that bypass the first line of security defenses. Based in Santa Clara, California, the company was founded in 2011, is privately-held, and distributes its software through direct sales and channel partners across North America and international markets. Learn more at


Contact Data