Rising risk, long incident remediation times and high security costs — these things keep security professionals up at night. But SIEM can make a positive difference in all three, according to a recent report.

Security information and event management (SIEM) frameworks help enterprises monitor, manage and mitigate the impact of cyberattacks. With the rising number of threats and the serious financial implications, SIEM has gained the attention of security teams worldwide.

In fact, the global SIEM market size reached $5.2 billion in 2022. Looking forward, the market is expected to reach $ 8.5 billion by 2028, exhibiting a growth rate (CAGR) of 11.5% during 2023-2028.

But how well does SIEM really work? Are the frameworks really worth the cost?

QRadar SIEM improves security with high ROI

Forrester Consulting recently conducted a Total Economic Impact™ (TEI) study to examine the potential return on investment (ROI) enterprises may realize by deploying the IBM QRadar SIEM framework. The purpose of the study was to evaluate the potential financial impact of SIEM on their organizations. And the study results were impressive.

For example, after implementing QRadar SIEM:

• Analysts investigating incidents save over 90% of time
• The return on investment (ROI) was 239%
• Net present value (NPV) was calculated to be $4.3 million.

Life before QRadar SIEM

Before using QRadar SIEM, some organizations in the study manually monitored security alerts and evaluated log data with no structured log collection, analysis and correlation. Others used another security information and event management platform.

As per Forrester, the companies’ earlier approaches led to risk exposure due to limited visibility to security threats, inability to monitor network flows, high SOC workloads and time-consuming regulatory compliance.

An IT manager at an organization included in the study said, “We had a big pile of log data, separated into different folders and files depending on the source, but nothing to help us find anything useful in it. If we had a problem, we would look in various files hoping to find the right one.” The IT manager continued, “A few years ago, we had a major incident. Some people entered and worked through our system from one end to the other for several days before we realized what was happening.”

Not all SIEMs are created equal

Just because a platform calls itself SIEM doesn’t mean it measures up to the highest standards. Interviewees in the Forrester study whose organizations previously used a suboptimal SIEM noted that older systems were difficult to use. Other SIEM solutions didn’t deliver enough context, correlation or insights about the organization’s security environments.

An IT security engineering manager at a utility said, “Our [previous] SIEM was more effective for simple storage than correlation, analysis or reporting. And it wasn’t useful for real-time detection or investigation of security incidents.”

Quantitative cost-benefit analysis

Based on company interviews, Forrester constructed a TEI framework, a composite company and an ROI analysis. The composite organization (a global company with a revenue of $3 billion per year) is representative of all the interviewees involved in the study. From there, the report’s authors calculated the three-year, risk-adjusted present value (PV) quantified benefits for a composite organization.

The quantified benefits of QRadar SIEM include:

• Reduced risk and cost of a significant security breach (valued at $1.7 million): QRadar enables faster detection of suspicious activity; enhanced ingestion of network traffic data and event log data; improved analyst ability to investigate suspicious activities; and more analyst capacity to address true positives.
• Reduced time spent on false positives (valued at ~$814,000): Security teams spend less time analyzing log data to identify true positive alerts. QRadar SIEM also reduces the total number of alerts generated.
• Reduced time spent investigating incidents (valued at $2.8 million): Reduces time to identify affected assets, check indicators of compromise (IOCs), correlate historical data and enrich security data.
• Decreased security analyst staffing costs (valued at $167,000): Enables less experienced/less expensive analysts to perform with a higher level of confidence. QRadar SIEM distills down the analytical structure and insights for analysts with less experience.
• Decreased compliance staffing costs (valued at $652,000): Reduces the effort required to ensure and monitor compliance with security-related regulations. Improves ability to conduct audits, collect data and produce reports to demonstrate compliance.

The representative interviews and financial analysis in the study found that a composite organization saves $6.1 million over three years with QRadar SIEM. Meanwhile, the cost of implementation totaled $1.8 million. The result is a net present value (NPV) of $4.3 million and an ROI of 239%.

Additional unquantified benefits

Other QRadar SIEM benefits not quantified in the study include:

• Operation insights and time savings for users beyond the security team. Extensive information captured in SIEM provides insights and saves time for security analysts, IT operations, help desk and developer staff. This resolves troubleshooting and operational issues faster.
• Enhanced ability to brief executives on security. SOC leaders can quickly quantify an organization’s security posture. This makes briefing the C-suite easier.
• Gives security analysts more time. Analysts have more time to improve their organizations’ overall security posture.
• Incremental revenue and customer retention. SIEM gives a company’s prospects and customers greater confidence in the organization’s security posture.

QRadar SIEM helps security pros sleep at night

Security pros are losing sleep over increased risk, delayed incident remediation and rising security costs. Plus, the cybersecurity talent crunch has left many organizations scrambling to keep up. The Forrester study shows how QRadar SIEM can positively impact all these areas.

An IT manager at a research organization said in the study: “If we can identify and stop a breach faster, it decreases the scope and cost, including reputational damage and other consequences. A really big breach could destroy our customers’ trust and effectively put us out of business. QRadar SIEM helps us to quickly detect suspicious activity, understand what’s happening and stop it from spreading.”

“Previously, we wouldn’t have had any junior security analysts because we just couldn’t have a more junior person doing that work. Now we’ve got several junior analysts because so much gets aggregated and systematized in QRadar SIEM,” said a team lead at a threat management center for a financial services firm.

Sleep well, cyber pro.