Why Attacks Are Successful

Each team focuses on monitoring their area of specialization - such as networks, endpoints or mobile - while successful attacks often target multiple vectors at the same time. 

Any event data with a time stamp can potentially lead to evidence of an attack – but in most cases, not all event data is captured because of storage and scalability restrictions. 

Normalizing data into flat files is acceptable for real time threat analysis – but if a breach develops over time, the original data is no longer in a format that can be analyzed with accuracy. 

Due to storage limitations, event data is usually purged after a few months, unless required to be stored for compliance reasons. That means it is simply not available to analyze over long periods of time. 

Analysts are not always able to get answers quickly due to complexity of accessing and querying large volumes of event data they need for forensics and incident investigations. 

Most SIEM tools that were not built for sophisticated analysis across a large volume of data and do not provide the analyst views in context of their requirements. Proprietary consoles often lead to additional training costs.