Managing cyber alert overload: how to find high-priority threat signals amid the noise

By Chriss Knisley, May 23, 2016 | SHARE

A new study by FedScoop finds that one-third of government and industry IT professionals surveyed say they receive more than 1,000 cyber-threat alerts per day, with 10 percent saying they receive more than 50,000 alerts daily.

This tidal wave of alerting is due in part to the proliferation of “firewalls, intrusion and malware detection systems [and] security event and incident management, or SEIM, tools,” and it has left IT officials and staff confused as to what is most pressing and in need of a rapid response. “I would agree that agencies have an over-abundance of reporting devices and alerts from all angles,” said one federal CIO. “We are increasingly drowning in data.

A major challenge for security professionals is that most cyber-detection solutions rely on big-data analytics approaches that easily scale to support ever-increasing volumes of data, but generally at the expense of organizational size and efficiency:  more and more analysts must be hired to chase after escalating false positives or explore interactive visualizations to glean useful insights. These approaches also tend to overlook weak or previously unseen indicators of important risks. Since the volume, velocity and variety of available data is increasing exponentially, the problem is only getting worse.

Haystax Technology takes a different approach, focusing first on capturing security expertise into a model that can be run at machine scale to quickly seek out the highest-priority threat signals and then applying streaming or batch data to the model. This ‘model-first’ approach addresses a number of key problem areas specifically identified in the survey, including the ones below:

Current Situation Model-First Approach
“The sheer volume of security alerts demands a comprehensive approach to prioritize response” By starting with an expert model of the specific domain threat indicators and detection challenges, a model-first solution ‘knows’ the highest priority threats in advance and can not only filter out a far greater amount of noise but also detect weak signals that humans or data-driven systems are likely to overlook.
“The longer the delay in detecting a threat, the more costly the potential damage” A model-first, analytics-based approach not only identifies a threat indicator, but instantly prioritizes it in context, enabling teams to focus on the most critical items first.
“The lack of prediction tools makes it harder for IT teams to get ahead of potential cyber threats” Model-first solutions with good domain threat models capture the latest predictive expertise, and easily grows in sophistication and predictive ability as new data sets become available and as new threats, anomalous patterns and behavioral trends emerge. The model learns from both experts and data.
“The lack of a single, integrated, end-to-end view of activity creates a significant handicap in detecting – and responding to – cyber threats” The model-first approach recognizes the significant investment in various network sensors and cyber threat systems and tools and leverages the valuable feeds they produce, combining them with signals from a wide array of new data sources to provide a single environment to detect high-priority threats across the enterprise.


The Haystax Constellation security analytics system delivers the kind of actionable insights into complex risk and uncertainty that IT leaders and analysts need every day, helping them achieve and maintain greater threat awareness so they can respond in a shorter amount of time. For more information, please visit

Chriss Knisley is President of Haystax Technology.