Cyphort and Ponemon Institute’s report presenting new findings regarding user dissatisfaction with Security Information and Event Management Systems (SIEMs), revealed that More Than Half of SIEM Users are Unsatisfied with the Intelligence they Get from the Tool.

As a company that works with customers to optimize SIEMs, and helping them reliably feed those tools with good-quality information, many of the findings from the Ponemon research reflect our own thoughts on the matter. SIEM tools play a crucial role in the security system of large enterprises but there are several aspects that could be improved significantly. The most important features of SIEM are the detection of threats through solutions such as user-behaviour analytics as well as anomaly detection and the prioritization of threats, vulnerabilities, and attacks.

Key findings

The Ponemon Report generated two principal observations of SIEMs. The first being that the operation and administration of SIEMs can be very expensive. The second being that although SIEMs function as the heart of Security Operation Centres, their efficiency is far from perfect. According to the report, only 25 percent of total SIEM cost is related to the initial purchase of the software. The remaining 75 percent of the cost is for installation, maintenance, and staffing. It’s clear customers expect their SIEMs to do more than churn out preconfigured alerts that require constant fine-tuning. The fact that 75 percent of the cost of ownership of SIEM systems goes on installation, maintenance, and staffing, should raise concern.

However, this isn’t the worst part. 70 percent of respondents say current SIEM technologies do not provide the most accurate, prioritized, and meaningful alerts. Meanwhile, 54 percent of users agree that their SIEM generates too much low-level data and too many alerts, making it difficult for security teams to focus on what matters most. 68 percent of users say their SIEM is useful, but they would need additional staff to maximize its value.

The solution

Luckily, the security industry has the answers to these issues. One solution is Log Management, the other Privileged Activity Monitoring. Log management systems can perform important pre-processing tasks and, most importantly, they can remove data which, from a security point of view, is unnecessary. This approach brings two serious advantages:

  • As the price of SIEM systems is mostly based on the event per second rate, reducing log data reduces the overall price of the solution, as well
  • Reducing the noise generated by irrelevant data makes it easier to focus on what matters most


Log management systems also solve the problem of long-term storage data. 79 percent of respondents say event and log data is stored in their SIEM for less than two months, however, 76 percent of respondents would ideally prefer to store event and log data for at least six months. Doing this within their SIEM systems is usually cost prohibitive. However, independent log management systems can offer a more cost-efficient alternative for long-term data storage.

Meanwhile, Privileged Access Management (PAM) solutions help organizations to understand the specific users and devices associated with security events reported by the SIEM. According to the Ponemon Report, this is something 61 percent of respondents wanted. PAM also helps with controlling the users’ access to privileged accounts; managing and controlling privileged sessions; monitoring the use of shared and superuser accounts; as well as collecting audit information for forensics situations, compliance reports etc.


Overall, the Ponemon Report highlighted many concerns users have with SIEM. Nevertheless, none of these issues are insurmountable. Organizations can optimize their SIEM through log management or PAM based solutions. Incorporating such solutions will increase user satisfaction as users will receive more valuable intelligence from their SIEM, as well as better identity context, and less “noise.”