A recent survey of security information and event management (SIEM) users in 559 large organizations across the U.S. found that while 76 percent of respondents value SIEM as a security tool, just 48 percent are satisfied with the intelligence they get from it.

The survey, conducted by the Ponemon Institute and sponsored by Cyphort, also found that just 25 percent of companies' investment in SIEM is related to the initial purchase of the software — the remaining 75 percent goes to installation, maintenance and staffing.

And while 78 percent of respondents have one or less full-time staff member assigned to SIEM administration, 64 percent spend over $1 million a year for external consultants and contractors to help with SIEM configuration and management.

Sixty-eight percent of respondents said that while their SIEM is useful, they would need additional staff to maximize its value.

"This data also indicates that the demand for trained security analysts exceeds the supply of skilled talent available to fill these positions," Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement.

What Enterprises Would Like to See in Their SIEM

Seventy-one percent would like to be able to automate specific SIEM-generated tasks in order to allow response teams to focus on priorities.

Seventy percent of respondents want their SIEM to generate fewer alerts that are more accurate, prioritized and meaningful — 54 percent said they get too much low-level data and too many alerts, making it hard to focus on what matters.

"The research data from the Ponemon Institute is consistent with the feedback we've been hearing from many organizations across the U.S. in terms of the problem with SIEMs," Cyphort chief marketing officer Franklyn Jones said in a statement. "The quantity of data is too high, while the quality of the data is too low. And there is inadequate staff to minimize that noise and maximize the underlying value."

Still, 84 percent of respondents said their SIEM is important, very important or essential to their incident response process.

"SIEM adoption was initially driven by the need for a long-term archive for log files, not as a security monitoring solution per se," John Marshall, vice president of technical services at STEALTHbits Technologies, told eSecurity Planet by email. "Hence the 'ingestion-volume'-based approach to licensing adopted by most vendors. It is the volume of data now being directed at what has become a hybrid solution that limits their effectiveness and drives operational cost and complexity."

"Vendor differentiation needs to be driven by a focus on new use case-centric capabilities around improving the quality of data inputs and for addressing the challenges of ongoing data management," Marshall suggested.

A recent eSecurity Planet article looked at top SIEM vendors and offered buying advice.

Photo courtesy of Shutterstock.