Security Information and Event Management (SIEM) is a powerful technology that allows security operations teams to collect, correlate and analyze log data from a variety of systems across the entire IT infrastructure stack to identify and report security threats and suspicious activity.
The 2020 SIEM Survey Report represents one of the most comprehensive surveys on SIEM to date, designed to explore the latest trends, key challenges, and solution preferences for SIEM.
Key findings include:
• 75% believe SIEM is very important to extremely important to their organization’s security posture.
• 82% rate the effectiveness of their SIEM positively.
• Top three benefits to SIEM are faster detection and response, better visibility, and more efficient security operations.
• 74% have seen a reduction in security breaches as a result of using SIEM.
Confidence In Overall Security Posture
A majority of cybersecurity professionals (56%) feel, at best, only somewhat confident in their organization’s overall security posture.
Importance of SIEM
Among the various security controls and technologies, SIEM plays a critical role in organizations’ security postures. For 75% of IT security professionals, SIEM is very to extremely important.
Nearly seven out of 10 organizations in our survey already use SIEM platforms for security information and event management. Twenty-three percent are planning to implement SIEM in the future. Organizations that actively use SIEM technology report higher confidence in their overall security posture (53%) than organizations that do not use SIEM (44%).
The majority of SIEM deployments are still delivered on-premises (51%). However, hybrid deployments of SIEM with on-premises and service-based components are gaining momentum (25%). A four percent increase from last year’s report (21%).
A large majority (82%) rate the effectiveness of their SIEM positively in its ability to identify and remediate cyber threats.
When asked about the main benefits organizations derive from their SIEM platform, the ability to provide faster detection of and response to security events is most important (17%). Better visibility into threats jumped to the second place this year (15%), followed by more efficient security operations (13%) – all key elements of the core value proposition of SIEM.
SIEM Reduces Breaches
Nearly three quarters of respondents confirmed that their deployment and use of SIEM resulted not only in improved ability to detect threats but also in a measurable reduction of security breaches for their organization (74%). This is the ultimate confirmation of the technology’s overall value and effectiveness.
Speed of Detection
SIEM users confirm that eight out of 10 security events are detected within hours – more than half of them within minutes (57%). It is reassuring to see only a very small fraction of respondents report their SIEM detects security events only after weeks or months of dwell time.
When asked about the negative impact security incidents had on an organization’s business, reduced employee productivity (32%) and negative impact on IT staff resources (30%) are the most frequently highlighted areas. Surprisingly, few respondents mentioned regulatory fines (5%), customer loss (8%) or negative publicity (10%) as a result of security breaches.
Organizations report that their SIEM platform is most effective at detecting unauthorized access (50%), followed by advanced persistent threats (40%) and malware (38%).
Hijacking of accounts, services or resources 33% | Phishing attacks 31% | Ransomware 31% | Zero-day attacks (against publicly unknown vulnerabilities) 25% | Cryptojacking 15% | Other 5%
SIEM platforms are typically highly integrated with other systems and applications to increase the breadth of data that is analyzed to alert and report on security events. The most common integrations are with intrusion detection and prevention systems (59%), followed by next-generation firewalls (54%) and application logs (49%).
Data Loss Prevention (DLP) 40% | Vulnerability management tools (scanners, configuration and patch management, etc.) 39% | Vulnerability Management (VM) 39% | Identity and Access Management (IAM) 36% | User behavior monitoring 36% | Threat intelligence from security vendors 35% | Network Access Control (NAC) 34% | Static endpoints (PC, endpoint protection, log collectors) 33% | Security intelligence feeds from third-party services 33% | Network packetbased detection 30% | Relational databases (transactions, event logs, audit logs) 30% | Unified Threat Management (UTM) 29% | Dedicated log management platform 29% | Cloud activity 29% | Netflow 29% | Endpoint detection and response 28% | Mobile endpoints (mobile devices, MDMs, mobile apps) 28% | Whois/DNS/Dig and other Internet lookup tools 26% | Network-based malware sandbox platforms 24% | Anti Denial of Service solution (Anti DDoS) 24% | Asset discovery 18% | SIEM technologies 17% | Management systems for unstructured data sources (NoSQL, Hadoop) 16% | Social media applications (Facebook, Twitter) 13% | Other 5%
SIEM Evaluation Criteria
As organizations evaluate new SIEM platforms, some decision criteria are more important than others. Cost considerations lead the list (65%), followed closely by product performance and effectiveness (64%) and product features (59%). Surprisingly, customer reviews (20%) are less important for organizations evaluating SIEM solutions in the market. (Customer reviews 20% | Other 5%)
SIEM Use Cases
The survey reveals that the most important use case for SIEM is monitoring, correlation and analysis of event data across multiple systems and applications (72%), followed by aiding with the discovery of external and internal threats (59%) and user monitoring (49%).
Provide analytics and workflow to support incident response 39% | Monitor a combination of cloud and on-premises infrastructure (as opposed to cloud-only or on-premises-only) 35% | Detect industry/vertical specific attacks (e.g. healthcare break-the-glass, financial fraud) 34% | Detect threats in cloud architecture including cloud access control (CASB) 31% | Other 1%
Methodology & Demographics
This report is based on the results of a comprehensive online survey of cybersecurity professionals to gain more insight into the latest trends, key challenges and solutions for SIEM. The respondents range from technical executives to managers and IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.