SIEM Complexities Increase IR Costs, Decrease IR Productivity

New Report from Cyphort and Osterman Research Puts Spotlight on SIEM User Challenges and How Incident Responders Spend Their Time

July 18, 2017

4 Min Read


SANTA CLARA, CA--(Marketwired - Jul 19, 2017) - Cyphort, Inc., today released a report, "The Complexities of SIEMs and Their Impact on IR Processes," based on new research conducted by Osterman Research, which surveyed SIEM users in 130 enterprise-level organizations across the U.S. While the majority of users said they were "mostly" satisfied with their SIEM, the data also revealed respondents' widespread dissatisfaction with the threat investigation and analysis capabilities available through their SIEMs, and further incident resolution delays.

"I think it's generally accepted that many SIEMs have not performed well in terms of proactive threat detection and analytics capabilities, and the new data confirms that," said Michael Osterman, Principal Analyst of Osterman Research. "Unfortunately, these shortcomings, along with the inherent complexities involved in using a SIEM effectively, have also put a significant burden on security analysts and incident response teams in terms of their productivity. And wasted time translates to wasted costs for these organizations."

For example, the report revealed that security analysts and incident responders working in companies with 1,000 employees would spend an average of 92.9 hours a week (equal to about $4,000 in weekly IT staff salary) analyzing and responding to data extracted from the SIEM. In companies with 2,000 employees, that would double to nearly $8,000 per week. Further, the research reveals that the majority of this time is spent early in the process of trying to identify and confirm specific security threats that may have compromised the network.

Other key findings presented in the report include:

·         Less than 40% of respondents are satisfied with the volume of data and the level of endpoint visibility of their SIEM system;

·         More than half of organizations experience at least 5 security events per day, and 56% of these experience more than 10 events per day;

·         Most SIEMS require substantial human involvement -- in 65% of organizations, the involvement of at least 5 persons is required to resolve security incidents, and in 17% of responding organizations, at least 15 persons are involved;

·         For incidents requiring escalation, almost a third (31%) of organizations using a standard SIEM take at least two hours to gather and correlate the data necessary for the next level of incident response -- a time-consuming process that can be automated and accelerated through advanced security analytics;

·         Collecting, analyzing and communicating the appropriate information to stakeholders is the most time-consuming part of the escalation process for 70% of respondents using traditional SIEMs; and

·         Security incidents typically require a median of 10 elapsed hours to resolve, however nearly one-third of respondents indicated that the process takes 16 or more elapsed hours to resolve.

"This is the third major research project we've conducted over the past six months, and each one has given us more clarity on the unique challenges facing overworked, understaffed security teams," said Franklyn Jones, CMO at Cyphort. "It validates the need for more intelligent security solutions that can reduce the cost, noise, complexity, and wasted time associated with traditional SIEMs. We're very pleased that Cyphort's innovative Anti-SIEM software is addressing those needs and providing value to a growing number of organizations."

The complete report "The Complexities of SIEMS and Their Impact on IR Processes" is available here.

About the Anti-SIEM
The Anti-SIEM is a distributed software platform that begins with a focus on threat detection, by ingesting raw data from web, email, and lateral spread traffic, as well as log and event data from a variety of other security tools in the network. All information is fed into its analytics engine, which uses machine learning and behavioral analysis technologies to first identify advanced threats, then correlate all related alerts and log events from other sources, and finally add user/host identify information. The Anti-SIEM then presents analysts with a consolidated timeline view of the entire security incident, showing the threat and all related events over time, as well as progression through the cyber kill chain. The entire process takes as little as 15 seconds. 

About Cyphort
Cyphort, Inc. is a security software company providing mid- and large-size enterprise customers with innovative security analytics for advanced threat detection and defense. The solution is built with an open architecture that integrates with existing security tools to discover and contain the advanced threats that bypass the first line of security defense in an organization. Based in Santa Clara, California, the company was founded in 2011, is privately-held, and distributes its software through direct sales and channel partners across North America and international markets. Learn more at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights