A majority of the large agencies have signed up for a new tool in the war against cyber attacks.
The Homeland Security Department is past the testing phase and ready to start the implementation of the Einstein 3 (E3A) program.
Brendan Goode, the director of network security deployment in the National Protection and Programs Directorate in DHS, said 15 out of the initial 23 agencies expected to implement Einstein 3 have signed memorandums of agreements with the department. DHS said E3A will “detect malicious traffic targeting federal government networks, but also prevent malicious traffic from harming those networks,” according to Einstein 3’s April 2013 Privacy Impact Assessment.
“The next set of activities that we have to do is the actual engineering to provision over those services, and we are actively engaged with several to do that,” Goode said recently in an exclusive interview with Federal News Radio. “It’s been a tremendously positive engagement with departments and agencies. Around mid-last year, we really started to roll out the architecture of where we were going with a lot of the technologies and solutions. We reached out through the policy community and the chief information officer and chief information security officers’ communities to start educating them.”
Goode said there are several key components that will make Einstein 3 work.
“One is the infrastructure piece. Can I connect the analysts to the sensors to the data in a secure means?” he said. “The second is ensuring we are able to only affect and work on the dot-gov traffic; so, the ability to segregate out dot-gov from dot-com and present it in at a place where it’s physically secure, so we can introduce Einstein 3 services themselves. Both of those have made tremendous amounts of progress. The infrastructure is in place and operational. The traffic segregation aggregation capabilities are in the final parts of test phases with three of them. The fourth one is operational, and the fifth one we expect to come online later this year.”
Budget request still pending
DHS requested $406 million in the fiscal 2014 budget request to Congress. Secretary Janet Napolitano told the House Appropriations Committee in April that sequestration could put the deployment of E3A at risk.
In the House’s version of the DHS appropriations bill for next year, lawmakers allocated $786 million for cybersecurity operations, which is $24 million below the president’s request and $30 million above the 2013 enacted level. The bill doesn’t mention Einstein directly, but does say of that $786 million, about $199.7 million should go to continuous monitoring. Every agency also must submit a plan by July 1, 2014, to the House Appropriations Committee describing how they are improving the security of their computer networks.
The committee approved the DHS spending bill May 15, but it hasn’t gone to the floor for a full vote yet.
The Senate Appropriations Committee, meanwhile, approved the DHS spending bill July 18. It included $803.8 million for cybersecurity protection of federal networks and incident response, which is $48 million above the 2013 allocation. Of that $803.8 million, DHS would receive $393 million for intrusion detection on civilian federal networks.
The bill now goes to the full Senate for a vote.
DHS is putting a lot of faith in Einstein 3 to meet Congress’ goals of improving federal network security.
After conducting two pilots with the E3A concept, Goode said DHS decided to go with a managed security services approach using the Internet Service Providers (ISPs) under the General Services Administration’s Networx contract.
DHS handles all the contracting and costs to implement E3A. CIOs and CISOs have to work with DHS on timing for implementation and whether the customer agency’s ISP providers are ready to provide the Einstein services.
“The agencies will get benefits from services as their ISP carriers come online with the services themselves. There is a process to getting the concept of the service defined, getting the service on contract, getting the implementation and testing done and then the onboarding,” Goode said. “In one case, we have passed all those steps and are doing the onboarding process, and the other steps we have several others preparing to come on line. As we talk about the role of the ISPs, it really is still under the direction of DHS from that standpoint. From our standpoint, they are taking the direct direction of here are the type of indicators and blocking actions we want to see be taken.”
Benefits of E3A twofold
Goode said the benefits of E3A are twofold.
First, agencies will get the ability to block malicious activity as it’s going on.
Second, through E3A, DHS can introduce a broader set of indicators from the classified realm that not only detects, but more importantly blocks malicious code from infecting the network or system.
Goode said Einstein 2, which most agencies have implemented either by themselves or through the Networx ISPs, used only unclassified indicators.
DHS has been implementing Einstein 2 since 2008 as part of the Trusted Internet Connections (TIC) initiative.
“Of the 18 federal agencies designated to be TIC providers, we are deployed at 17 of those 18 today,” Goode said. “Additionally, that leaves a pretty broad range of other agencies that need to get the security benefits of Einstein 2. Those go through the GSA Managed Trusted Internet Protocol Service (MTIPS) vendors. There are four tier one ISPs through GSA that provide those services. We are deployed at all four of the ISPs and servicing 52 other agencies through that vehicle. So we are making good progress on that so far.”
Under Einstein 2, agencies have an intrusion detection sensor at each of their locations that touches the Internet.
The data from those sensors are sent to U.S. Computer Emergency Response Team (U.S. CERT) so they can analyze governmentwide trends on attacks or vulnerabilities.
“As you can imagine with the volume of data that goes on, we’ve been putting more analytic tools around that data to give them better and more ability to correlate and visualize, so they can get to quicker analysis on an incident, so they can share those products back to dept and agencies customers afterwards,” Goode said. “In terms of the value, there are two aspects to it: The near-real time alerting that something is going on, so you can advise an organization of an event they need take further action or remediation against. The second is the historical data, which is that Einstein 1 flow data piece to it. Can we look back and see if this has been occurring over time? So, it allows for that historical analysis, which has traditionally been a well used platform value for DHS and our customer agency. Long term, it’s not just the value of those intrusion detection alerts, but it’s the summation of all of capabilities DHS is doing, so the work coming down stream with continuous monitoring, the insights we will understand from the attack surface and the vulnerabilities that we have plus the threats. That’s where we will now see the force multiplying in terms of knowing here’s the vulnerability, here’s the threat and here’s the risk.”