What Do Organizations Value Most in a SIEM/Security Analytics Provider? In a Word: Actionability

This is a guest blog post from Scott Crawford, Research Director of Information Security from 451 Research, A Part of S&P Global Market Intelligence.

In late 2020, 451 Research conducted its Voice of the Enterprise: Information Security, Vendor Evaluations study, which included a worldwide survey of enterprises using the technology of security information and event management (SIEM) and security analytics. Published in early 2021, that survey’s findings called out two attributes of SIEM/security analytics vendors that were most frequently rated ‘very important’ by respondents: the quality of reporting and alerts, and the integration and correlation of threat intelligence.

Nearly all study respondents (98%) said that the quality of SIEM reporting and alerts is important, with 74% calling it ‘very important’ – the largest such proportion of any response. Why should this matter to security teams? In one word: actionability.

In order to maintain vigilance over an environment, modern technologies generate a volume of monitoring and event data that can overwhelm security teams. SIEM and security analytics are designed to correlate findings and prioritize the most significant issues and events for response. These findings are often surfaced as reports and alerts. The response to alerts must be as close to immediate as possible, when minutes may count against a fast-moving adversary.

Consider, then, that according to this same survey, nearly half (49%) of all respondents indicate that their security teams investigate 20 or more alerts on any given day, while 26% investigate 100 or more alerts each day and 12.5% investigate 500 or more. Each one may require a response to keep the organization safe. Each one must be triaged to determine its priority.

Not every security team is able to cope – 38% of SIEM-using respondents to the 451 Research survey have no idea how many alerts they deal with in a typical day, while 30% said they couldn’t investigate more than half. This means that the information delivered to these teams must be as suitable for immediate action as possible. To assure this objective, a high quality of reporting and alerts is essential to identifying the most significant issues in effective ways and facilitating the most efficient security response.

This objective is also in view in the importance attached to a SIEM/security analytics vendor’s integration and correlation of threat intelligence into their offering. Here again, nearly all respondents to the 451 Research study (97%) called out this attribute as important, while 64% indicated it is ‘very important.’

Here, too, actionability is key. Issues and events that correspond to malicious activity observed ‘in the wild’ must be prioritized, since they reflect how adversaries are actually moving against their targets. SIEM and security analytics systems that make this correlation in ways that expedite a security team’s response can make a significant difference in keeping a attack target from becoming a victim.

Reporting and alerts that arm security teams with what they need to respond more effectively and prioritization based on adversary activity – these are just two of the attributes of SIEM/security analytics providers that surveyed organizations value. But they are the two that enterprises call out as most important for turning their investment into action that yields results.

To learn more, check out the "What SIEM/Security Analytics Attributes Are Most Important to Enterprises?" infographic.

Scott Crawford is the Research Director for Information Security with 451 Research, a part of S&P Global Market Intelligence. The former CISO of the Comprehensive Nuclear-Test-Ban Treaty Organization’s International Data Centre in Vienna, Austria, Scott has served as a technologist, security practitioner and strategist for major international organizations in both the public and private sectors.