Half of SIEM Users Find Threat Intelligence Unsatisfactory, Ponemon Reports

Nearly half of all users of Security Information and Event Management (SIEM) solutions are unsatisfied with the threat intelligence provided by their tools, according to new research conducted by the Ponemon Institute and Cyphort. The report, Challenges to Achieving SIEM Optimization, examines issues and attitudes from SIEM users in 559 large organizations across the United States. According to the study, 76 percent of respondents value their SIEM as a strategically important security tool, yet just 48 percent were satisfied with the actionable intelligence they get from their SIEMs.

“The root of their dissatisfaction seems to be related to the complexity of the SIEM itself,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In fact, 75 percent of respondents said there is significant, or very significant, effort involved in configuring their SIEM for their organization. Obviously, this complexity can make it very difficult to extract the value they want and need.” The issue of complexity was also evident in the total cost of ownership for SIEM solutions.

Just 25 percent of total SIEM cost is related to the initial purchase of the software, according to the Ponemon Institute’s research. The other 75 percent of the cost is for installation, maintenance, and staffing. Surprisingly, 78 percent of the organizations surveyed have one or less full-time staff assigned to SIEM administration, and yet 64 percent or organizations pay more than $1 million annually for external consultants and contractors to assist with SIEM configuration and management. “This data also indicates that the demand for trained security analysts exceeds the supply of skilled talent available to fill these positions,” added Dr. Ponemon.

User dissatisfaction and general frustrations were evident in the report’s other key findings as well:

• The SIEM is too “noisy” – 54 percent of users agree that their SIEM generates too much low-level data and too many alerts, making it difficult to focus on what matters most.
• Better identity context is desired – 61 percent want to understand the specific users and devices associated with security events reported by the SIEM.
• More trained staff is needed – 68 percent say their SIEM is useful but would need additional staff to maximize its value.
• Improvements in alerts – 70 percent want their SIEM to generate fewer alerts that are more accurate, prioritized and meaningful.
• SIEM users want more automation – 71 percent want to automate certain SIEM-generated tasks, so that response teams can focus on priorities.

SIEM Still Essential

Despite issues of complexity and staffing challenges, 84 percent of respondents said their SIEM is important, very important or essential to their incident respondent process. This reinforces the fact that the SIEM is strategically important to their businesses. Unfortunately, the performance of the SIEM as a security tool falls short of user expectations – specifically in terms of minimizing the dwell time of advanced threats that have penetrated the network. The research revealed that for 65 percent of organizations, the SIEM’s discovery of a compromise can take hours, days, weeks or even months.

“The research data from the Ponemon Institute is consistent with the feedback we’ve been hearing from many organizations across the US in terms of the problem with SIEMs,” said Franklyn Jones, Cyphort chief marketing officer. “The quantity of data is too high, while the quality of the data is too low. And there is inadequate staff to minimize that noise and maximize the underlying value.”