Cyber alert overload creates new challenges for feds

New FedScoop survey finds the growing mix of threat intelligence systems, and cyber staff vacancies, complicate agency efforts to keep up with daily cyber alert overload.

FedScoop 2016 Report: Cyber Alert Overload

The continuing surge of cybersecurity threats, and the growing array of alert systems designed to flag them, is making it harder for federal agencies to respond effectively to the daily overload of alerts, according to new survey findings released by FedScoop.

The introduction of analytics systems and other technology products is helping IT departments identify and respond to anomalies in network activities and user behavior more quickly than before. However, the sheer volume of alerts, coming from a variety of security intelligence systems, has introduced something of a new challenge for network security managers in how to respond most efficiently to alerts coming from up and down the computing stack.

The study, for instance, found that one out of five government IT professionals responding to the survey reported that their IT teams have more than 20 distinct products or systems to detect, monitor and respond to cyberthreats; and 70 percent of respondents reported having five or more alert systems. Those products include everything from firewalls, intrusion and malware detection systems, to security event and incident management, or SEIM, tools.


The number of daily alerts has, in itself, become alarming. Nearly one out of 10 respondents reported their IT departments receive more than 50,000 cyberthreat alerts each day. Fully half of the survey respondents said their security systems trigger more than 1,000 alerts a day.

At the same time, government IT professionals highlighted the significant challenge they face finding, training and retaining cybersecurity specialists to keep up with the alerts.  On average, two out of three government respondents — and one-third of respondents who work for contractors or industry — said it takes at least six months to hire a qualified cybersecurity professional. And more than half of both groups say they having difficulty finding the specialists they need for the majority of positions currently open.

The FedScoop findings reflect the views of executives, senior and mid-level IT professionals who are either heavily, regularly or somewhat involved with the operation or strategy of security systems. Of those polled, 77 percent work at federal government agencies and 23 percent work for government IT industry/contractors. The survey was conducted entirely online, in March 2016, by FedScoop and underwritten by Forcepoint.

“I would agree that agencies have an over-abundance of reporting devices and alerts from all angles, and putting it into context requires a well-integrated security information and event management system,” said the CIO of a federal agency who reacted to the results under the condition he not be identified. “We are increasingly drowning in data,” he said, adding, “for any security environment, complexity is a silent killer.”

Complicating security response, Forcepoint Federal Chief Technology Officer George Kamis said, is the problem of “alert fatigue,” where people stop paying attention because of so many alerts. That was a key factor in the Target credit card system breach, he said: “The alerts were there, but they were just ignored because there were so many.”


While threat intelligence systems are helping IT departments automatically prioritize threat alerts, and even activate predetermined responses, the ever-changing nature of threats and their escalating volume make it hard to keep up.

  • Only one out of three government respondents have a single, integrated view of threats, compared to half of industry respondents.
  • Only about half of government respondents have end-to-end visibility of their networks and user activity, compared to three-quarters of industry respondents.
  • Only 15 percent of government respondents, compared to 45 percent of industry respondents can identify a threat on the network within one hour; and more than half of government respondents said it could take a day, weeks or months to detect network threats.

The study also found that only about four out of 10 respondents currently track dwell time — the length of time attackers were on respondents’ networks before they left or were ejected — and that only a minority of respondents said they had the ability to predict attacks.

Clearly gaps in staffing and resources are compounding the challenge for IT leaders. That’s true for industry, but particularly so for government agencies, where limited pay scales and hiring red tape make attracting experienced talent difficult. A quarter of government respondents in the survey said at least 25 percent of budgeted cybersecurity positions remain vacant at their agencies.

While there is no single answer, experts at companies such as Forcepoint urged IT departments to take steps to gain real-time situational awareness of the users, devices and activities on the network. They also urged IT departments to integrate cyberthreat monitoring, diagnostics and mitigation systems into a single, centralized view, and to do more to automate their mitigation efforts.


FedScoop Cyber Alert Overload Study. 5.12.16 by FedScoop

Latest Podcasts