Fidelis Cybersecurity
Fidelis Blog


Addressing the Cyber Workforce Shortage at Federal Agencies Through Automated Threat Hunting

Cyber workforce shortages continue to be a challenge among cybersecurity stakeholders across all sectors and sizes. According to cyber workforce firm, Cyberseek, upwards of 300,000 cybersecurity jobs throughout both the public and private sector remained open in 2018 and are projected to reach an benchmark of 1.8 million by 2023. Among federal agencies, recent surveys show as many as 10,000 continuous job openings. The cyber workforce shortage among federal agencies is even more amplified as agencies often find themselves traditionally limited with compensation and flexibility when compared to the private sector. To address this challenge, the President signed Executive Order 13870 America’s Cybersecurity Workforce in May 2019 providing more resources, budget, and flexibility for federal agencies to attract and retain qualified cybersecurity professionals.

While America’s Cybersecurity Workforce is a welcome relief for federal agencies, other challenges will remain even when the open headcount is fulfilled. Compared to less than a decade ago, federal security operations teams – SOCs – must now protect a hybrid “cyber terrain” that continues to grow in complexity. Many federal cyber terrains extend beyond network perimeters and endpoints, now also including public and private clouds, mobile devices, IoT devices, and legacy systems. In addition to the workforce and skillset shortages, continuous visibility and actionable insight remain top priorities for federal agencies. Further, the adversaries – both external and internal – now have more malware resources to choose from in terms of both volume and sophistication, as well as automated tools. The traditional response to this has been to add more security tools. This has resulted in SOC teams now managing anywhere between 50 and 75 solutions. This approach has introduced new challenges for SOC teams in that they must acquire and maintain skillsets for all of the security solutions procured as well as manage the increasing volume of alerts – many of which turn out to be false positives – resulting in “alert overload” and operational fatigue. Collectively, this leads to longer incident resolution times. Clearly, a scalability gap will persist despite the additional human capital.

Automation to achieve operational objectives at scale in any environment is a proven concept. Embracing an automation strategy when it comes to incident response missions among federal SOC teams should be no different nor should automation be construed as a replacement for human capital; rather, a much-needed complement. Federal SOC teams must start by taking a “threat-driven approach” to securing the complex cyber terrain as described above. Fundamentally, “you cannot secure what you cannot see.” Hybrid infrastructures and the assets that comprise them must be continually mapped and classified with automation. Collectively, the 50-75 security tools comprising the existing “security stack” are not architected to correlate the sheer volume of alert data for SOC teams that may be operating at human capital capacity to efficiently respond to threats or proactively hunt for threats at scale.

SOC teams must leverage automated detection that eliminates many of the steps and analysis that currently plague a Level 1 analyst so that federal agencies can gain more from their human capital investment at Level 2 and Level 3 phases of a cyber incident. This also applies to threat hunting. Federal SOC teams can achieve this with confidence by capturing stored metadata from applications and traffic from all ports and protocols throughout the cyber terrain. Further, when trying to deceive or slow the adversaries as part of their threat hunting initiative, federal SOC teams must move beyond the traditional, static “honeypot” approach and towards a more active, dynamic deception model that automatically and proactively engages dormant dwelling adversaries to towards dynamic decoy (fake) assets that align with changes in the cyber terrain. This results not only in shifting the cost and complexity of an attack or compromise back to the adversary, but also enables SOC teams to gain real-time and historical threat intelligence as it impacts their cyber terrain. This can be particularly useful within IoT and legacy system environments where SOC teams currently rely on manual detection and threat hunting approaches due to lack of security agents and tools available to protect these assets.

Adversaries are implementing automation to achieve their outcomes of breach and compromise among targeted agencies. Federal agencies will realize the success of automated detection and threat hunting implementation when continuous visibility across the hybrid infrastructure is in place and incident response and resolution times are being measured in minutes as opposed to days or months. Implementing automated detection and threat hunting for federal SOC teams is necessary for agencies to realize their ongoing cyber workforce investments.

If you’d like to learn more about the challenges and solutions surrounding the federal cyber workforce, please be sure to register for our upcoming webinar on September 13, Addressing the Federal Cyber Workforce Skills Shortage.


Tom Zinzi is a Regional Sales Manager for Fidelis Cybersecurity Federal Division. Tom has more than 22 years working with Federal SOC teams in both the Civilian and DoD sectors to help them achieve their missions in continuous monitoring, threat detection, threat hunting, infrastructure protection and reporting.

Stay up to date on all things security

Subscribe to the Threat Geek Blog