Nov 15 2023

Tackling Alert Fatigue: How Local Agencies Can Defend Against Cyberthreats

Already facing staffing challenges, government security operations centers sometimes cannot investigate all alarms.

Cybersecurity alerts help state and local governments to fend off attacks. But nobody can stay vigilant amid a daily onslaught of alarms requiring a constant sifting of legitimate threats from worthless noise.

Alert fatigue is an age-old human problem. From the boy who cried wolf to medical professionals facing crucial health decisions, our brains shut down when presented with too many flashing lights and blaring horns.

A well-known medical study of warnings generated by physician order entry software found that doctors tuned out notifications with alarming regularity: Physicians overrode 91 percent of drug allergy and 89 percent of high-severity drug interaction alerts.

And so it goes at the security operations center. “Endpoint detection and response is great and all, but is it notoriously chatty,” says Craig Robinson, research vice president of security services for IDC. “The IT manager and that half a security person working for them are overwhelmed.”

Robinson penned a recent white paper that notes that a quarter of intrusion alerts go uninvestigated, regardless of an organization’s size. Users spend about half an hour chasing down each false positive or actual alarm.

“This lack of productivity and the frustration with chasing false positives have been escalated to the top of the organizational chain of command,” Robinson writes in the white paper. “CISOs, CIOs and others who are responsible for security must explain to the board and other members of the C-suite why they are experiencing high turnover and empty seats in their SOCs while ransomware and other high-profile exploits dominate news cycles.”

Click the banner below for more on how to stay ahead of cyber attacks.

Why Is Alert Fatigue a Challenge for State and Local Governments?

For state and local governments, a lack of resources is at the heart of the problem.

“They don’t pay very well so it’s hard to retain talent,” says Terry McGraw, vice president of global cyber threat analysis for Secureworks. The private sector remunerates cybersecurity workers 12 to 14 percent more than public organizations. Turnover at state agency IT departments is a constant problem.

Plus, there’s a dearth of qualified cybersecurity candidates across all sectors. “There’s a lack of talent out there that can sift through this stuff and make intelligent decisions,” Robinson says. “It takes seasoning, and you can’t grab that kid off the street.”

Davie, Fla., CIO Nelson Martinez has seen the problem firsthand. “You end up with two or three guys spinning their wheels on ice. They have 10 different consoles to look at with so many logs being generated per second. There’s no way that any IT organization can get their hands around it.”

Can Layered Defenses Help Local Agencies Address Alert Fatigue?

Layering defenses is a rallying cry in cybersecurity. But when it comes to alert fatigue, it’s part of the problem.

“Technology can help solve the problem, but the more tech you have in place, the more alerts you’re likely to get,” says Ryan Witt, vice president of industry solutions at Proofpoint.

The IDC white paper arrives at the same conclusion: “Relying on tools that are not fully implemented or that do not have the proper visibility and automation to detect and respond to threats — combined with overwhelmed or insufficient staffing — is not acceptable to an organization’s stakeholders.”

For Robinson, the only real solution is a managed service. “MDR providers are more likely to take the entire detection, containment and response function all the way through to completion,” he writes.

READ MORE: See how state and local agencies can identify cyberthreats through anomaly detection.

Can Outsourcing Help Local Agencies Address Alert Fatigue?

In Davie, Martinez hired Secureworks. “You have to bring in a service to tame the beast,” he says.

The company’s platform allows customer-sensing tools to plug in, then scours the data for trouble. It also offers vulnerability assessments, penetration testing, threat hunting and log management.

“We go looking for new tradecraft and offer incident response,” says McGraw. “Often, it’s cheaper to have Secureworks come in and do all of the work than to hire an in-house analyst.”

However, it’s not as simple as hiring a managed service provider and then going to lunch. “It’s not just getting a product up and running but the fine tuning that goes along with it,” Martinez says. He has consulted closely with Secureworks to customize his organization’s threat protection. “They worked with the customer to establish what’s normal for the town of Davie. No one-size-fits-all,” he says.

Pratul Kant also depends on the Secureworks platform. He’s the chief of information security for San Francisco’s Metropolitan Transportation Commission and has two people on his cybersecurity team.

“I avoided the fatigue proactively,” he says. “You can’t build a system to track all of these alerts. Secureworks is our SOC.”

Can Automation Help Local Agencies Address Alert Fatigue?

Cybercriminals are exceedingly adept at selecting their marks, says James Yeager, vice president of public sector operations for CrowdStrike.

“They’re going after the weak and under-resourced people,” he says.

That makes state and local governments a target-rich environment. The company’s Falcon platform acts as a security layer across multiple domains, Yaeger says. It includes managed detection and response, threat hunting and a large dose of automation. “AI has been the muscle in our brains for 12 years now.”

The bad guys also constantly evolve their methods of attack. “We learned during COVID how attentive threat actors were to the news cycle,” says Witt.

They often hid malware in email-based news alerts. Proofpoint’s solutions are based on strong front-end blocking and robust email security, sandboxing, controlled third-party links, automation tools and training. That means analyzing content, behavior and threats from a single, cloud-native console.

“We’re spending most of our time on level one and two alerts,” says Witt.

Sumo Logic, Arctic Wolf and Microsoft are also in the space. The latter offers several methods to reduce alert fatigue, including native integration of security applications, black hat watchlists and user and entity behavior analytics.

EXPLORE: Learn how New Jersey is getting more serious about cyber incident reporting.

Can Federal Funding Address State and Local Alert Fatigue?

There is some good news for cash-strapped public IT departments: In August, the U.S. Department of Homeland Security announced $375 million available through the State and Local Cybersecurity Grant Program. The money comes in part from the landmark infrastructure law passed in 2021.

“In today’s threat environment, any locality is vulnerable to a devastating cyberattack targeted at a hospital, school, water or other system,” said Secretary of Homeland Security Alejandro N. Mayorkas in a statement. “The Department of Homeland Security is helping to ensure that every community, regardless of size, funding or resources, can meet these threats and keep their residents and their critical infrastructure safe and secure.”

The program is jointly administered by the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency.

“State and local entities have done a good job crying for help on Capitol Hill,” Yeager says. Some of that money is flowing to whole-of-state initiatives attempting to break down historical barriers that have stymied effective cybersecurity in the past.

“The money is not unlimited. Applicants must get their acts together,” Yaeger says.

.shock/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.