05:00 PM
Dark Reading
Dark Reading
Products and Releases

SIEM Complexities Increase IR Costs, Decrease IR Productivity

New Report from Cyphort and Osterman Research Puts Spotlight on SIEM User Challenges and How Incident Responders Spend Their Time

SANTA CLARA, CA--(Marketwired - Jul 19, 2017) - Cyphort, Inc., today released a report, "The Complexities of SIEMs and Their Impact on IR Processes," based on new research conducted by Osterman Research, which surveyed SIEM users in 130 enterprise-level organizations across the U.S. While the majority of users said they were "mostly" satisfied with their SIEM, the data also revealed respondents' widespread dissatisfaction with the threat investigation and analysis capabilities available through their SIEMs, and further incident resolution delays.

"I think it's generally accepted that many SIEMs have not performed well in terms of proactive threat detection and analytics capabilities, and the new data confirms that," said Michael Osterman, Principal Analyst of Osterman Research. "Unfortunately, these shortcomings, along with the inherent complexities involved in using a SIEM effectively, have also put a significant burden on security analysts and incident response teams in terms of their productivity. And wasted time translates to wasted costs for these organizations."

For example, the report revealed that security analysts and incident responders working in companies with 1,000 employees would spend an average of 92.9 hours a week (equal to about $4,000 in weekly IT staff salary) analyzing and responding to data extracted from the SIEM. In companies with 2,000 employees, that would double to nearly $8,000 per week. Further, the research reveals that the majority of this time is spent early in the process of trying to identify and confirm specific security threats that may have compromised the network.

Other key findings presented in the report include:

·         Less than 40% of respondents are satisfied with the volume of data and the level of endpoint visibility of their SIEM system;

·         More than half of organizations experience at least 5 security events per day, and 56% of these experience more than 10 events per day;

·         Most SIEMS require substantial human involvement -- in 65% of organizations, the involvement of at least 5 persons is required to resolve security incidents, and in 17% of responding organizations, at least 15 persons are involved;

·         For incidents requiring escalation, almost a third (31%) of organizations using a standard SIEM take at least two hours to gather and correlate the data necessary for the next level of incident response -- a time-consuming process that can be automated and accelerated through advanced security analytics;

·         Collecting, analyzing and communicating the appropriate information to stakeholders is the most time-consuming part of the escalation process for 70% of respondents using traditional SIEMs; and

·         Security incidents typically require a median of 10 elapsed hours to resolve, however nearly one-third of respondents indicated that the process takes 16 or more elapsed hours to resolve.

"This is the third major research project we've conducted over the past six months, and each one has given us more clarity on the unique challenges facing overworked, understaffed security teams," said Franklyn Jones, CMO at Cyphort. "It validates the need for more intelligent security solutions that can reduce the cost, noise, complexity, and wasted time associated with traditional SIEMs. We're very pleased that Cyphort's innovative Anti-SIEM software is addressing those needs and providing value to a growing number of organizations."

The complete report "The Complexities of SIEMS and Their Impact on IR Processes" is available here.

About the Anti-SIEM
The Anti-SIEM is a distributed software platform that begins with a focus on threat detection, by ingesting raw data from web, email, and lateral spread traffic, as well as log and event data from a variety of other security tools in the network. All information is fed into its analytics engine, which uses machine learning and behavioral analysis technologies to first identify advanced threats, then correlate all related alerts and log events from other sources, and finally add user/host identify information. The Anti-SIEM then presents analysts with a consolidated timeline view of the entire security incident, showing the threat and all related events over time, as well as progression through the cyber kill chain. The entire process takes as little as 15 seconds. 

About Cyphort
Cyphort, Inc. is a security software company providing mid- and large-size enterprise customers with innovative security analytics for advanced threat detection and defense. The solution is built with an open architecture that integrates with existing security tools to discover and contain the advanced threats that bypass the first line of security defense in an organization. Based in Santa Clara, California, the company was founded in 2011, is privately-held, and distributes its software through direct sales and channel partners across North America and international markets. Learn more at

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.