May 4, 2015 By Jaikumar Vijayan 2 min read

A new survey by MeriTalk reveals many government agencies may have an overly optimistic estimate about the length of time cyberthreats remain undetected on government networks.

Optimistic Estimates

MeriTalk, a public-private partnership focused on improving government IT security, surveyed a total of 302 cybersecurity professionals from federal, state and local government agencies to get an idea of their current state of cybersecurity preparedness. Conducted in March, the study found government IT security professionals estimate that cyberthreats, including intrusions, existed on their networks for an average of just 16 days before they were detected.

That number is substantially lower than the numbers being reported by the government entities that actually suffered a recent data breach.

The Reality

Big data vendor Splunk, which underwrote the MeriTalk study, points to last year’s breach at government security clearance contractor USIS as one example. In that incident, personal records belonging to an estimated 25,000 employees at the U.S. Department of Homeland Security were exposed, but the contractor did not know about the intrusion for months.

Security vendor Mandiant, which has performed forensic investigations into numerous data breaches over the past few years, estimated in a report last year that the median number of days threat actors are able to remain undetected on a victim’s network is 229 days. The longest anyone has been able to remain undetected on a victim’s network is an astounding 2,287 days.

“There are a number of reports focused more broadly on commercial and public-sector organizations, suggesting that attackers are present on victim networks for an average of over 200 days before they were discovered,” a Splunk representative said in an email.

Lack of Visibility Into Government Networks

Against that background, the MeriTalk survey results seem startling.

“This shows that most public-sector agencies are far more optimistic than the reality,” according to Splunk.

Respondents in the MeriTalk survey reported collecting more threat-related data than ever before from sources such as vulnerability scans, mail logs, virtual private network logs and Dynamic Host Configuration Protocol logs. However, many are struggling to make sense of the data deluge, the report also showed.

Nearly 7 in 10 government cybersecurity professionals reported being overwhelmed by the volume of data being collected by the security systems. Some 78 percent said at least some of the data they collect goes unanalyzed because they simply had neither the time nor the resources to do it.

Ignoring Alerts

This statistic is important. Organizations have deployed numerous security controls over the years, many of which are set up to deliver alerts on network intrusions and other malicious threats. However, such alerts are often ignored because of both the sheer volume of data generated by the systems and the lack of resources to inspect the data. For instance, with the Target breach, the company admitted one of its security alerting systems warned of an intrusion. However, the alerts were never viewed or acted upon and were only discovered after the breach.

The survey found 70 percent of all government agencies can conduct a root-cause analysis into a security incident to find out what might have caused it. At the same time, the root-cause analysis was successful only 49 percent of the time. Nearly 90 percent of the cybersecurity professionals surveyed said they are unable to tell a complete story with the security data they gather, according to Splunk.

“These findings validate the fact that most are not using a single platform to address their needs,” the company said. “Data is everywhere. It’s disconnected, siloed.”

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today