Finding the Signal Through the Noise

While “what you don’t know can’t hurt you” is a dangerous myth in security, modern organizations are now cursed with more knowledge than they can reasonably process into action. This report, a collaboration between Securonix and the Cyentia Institute, analyzes 54 billion security events to quantify SIEM effectiveness. We explore the tipping point where increasing visibility stops being an asset and begins overwhelming the security operations center (SOC).

The data confirms that visibility is a double-edged sword: for every seven data sources added, the number of policies doubles, leading to an exponential surge in noise. When an organization doubles its policy count, the violation rate surges by 6.1 times, effectively burying “concerning” signals under a mountain of commodity threats. This report rewards the click by revealing that only 0.8% of policies generate data that analysts actually mark as “concerning”.

The study also provides a “Pareto rule” for threat detection: 78% of what analysts actually look at is generated by only about 20% of policies. By identifying “chatty but informative” sources versus those that are simply “chatty,” organizations can tune their SIEM to save massive amounts of SOC effort. This research provides the benchmarks needed to calibrate SIEM performance and shift the focus from increasing volume to improving signal quality.

Key Findings

• The Policy Doubling Rate: For approximately every seven data sources an organization adds to its SIEM, the total number of monitoring policies doubles.
• The 6.1X Violation Surge: Doubling the number of monitoring policies leads to a 6.1-fold increase in the number of first-layer alerts (violations) per second.
• The Adjudication Decline: Doubling an organization’s violation rate correlates with a 42.2% decrease in the percentage of violations that actually receive human adjudication.
• The 0.8% Detection Signal: A tiny minority—only 0.8%—of all SIEM policies generate alerts that analysts eventually mark as “concerning” security events.
• Pareto Detection Patterns: 20% of SIEM policies account for 78% of all alerts that analysts actually investigate, demonstrating an extreme “heavy-tailed” effect.
• High-Precision Data Sources: Application-specific policies have the highest signal quality, with only 0.2% of their alerts marked as non-concerning.
• Cloud-First Visibility: Organizations that utilize cloud-based Next-Gen SIEM reveal significantly more actionable insights than those working in isolation.