Back in 2005, the head of the National Security Agency broke out his red marker and circled a section of a white paper written by cybersecurity experts and gave them a two-month deadline to bring this idea to bear.
The concept the experts detailed to Gen. Keith Alexander would let NSA use technology to identify adversary tradecraft in flight, outside the wire so to speak, and treat it as a network problem.
Alexander thought the technology would be a game changer maybe not a silver bullet but something that would give the Defense Department a head start against ever-increasing threat before they made their way into the network.
Now, 16 years later, experts say this type of technology wouldve gone far to prevent, or at least limit, the damage for most of the major cyber breaches federal agencies suffered since 2005.
It was a big deal because we brought intelligence and defensive folks under one roof. The results were profound. We created a rich contextual threat intelligence about what adversaries were doing to DoD and we used it to warn incident responders and others, said Steve Ryan, a former deputy director of NSAs Threat Operations Center who coauthored the aforementioned white paper.
We set out to do something big and bold. We created classified capabilities that were largely tuned to interfere with cyber outside the network, said Ryan, who is now the CEO and co-founder of Trinity Cyber. We were leveraging our knowledge of the adversaries.
Ryan said his team fielded a pilot by the end of calendar year 2005 and presented it to Alexander. By December 2008, the capability was protecting all of DoD.
Generally speaking, the capability is focused on deep packet inspection and the ability to reroute traffic that is potentially a threat to the network. The tool would stop remote code execution and find malicious software to make it more difficult for hackers to get inside an organizations network. Some experts said capabilities like this, especially now 13 years later, would have limited the impact of the SolarWinds attack.
As DoD rolled out the capability, NSA started talking to the Department of Homeland Security about adding the technology to the EINSTEIN program.
John Felker, a former Coast Guard and DHS cyber official, said NSA was set to implement a version of these capabilities in EINSTEIN.
They got all the way to be ready to pull the trigger and the deputy secretary at the time decided to stop it, and decided that DHS could do something similar on their own, said Felker, who now is president of Morse Alpha Associates. That was unfortunate. There was an idea that DHS could do it themselves and folks were selling a program that would have a positive impact, but they oversold it. That may be a reason so many people dont understand what EINSTEIN is or was supposed to do.
That lack of understanding of what the EINSTEIN tools are and are not came to a head over the last few months as lawmakers and misinformed experts questioned why the more than $1 billion investment over the last 16 years didnt stop the SolarWinds attack.
The fact is the EINSTEIN program was never designed to stop SolarWinds or the Microsoft Exchange hack or even the Office of Personnel Management hack.
Current and former DHS and White House officials said the investment in the EINSTEIN tools made agencies safer and met the initial goals laid out in 2004: To stop known attack vectors or signatures through intrusion detection and prevention tools.
There seems to be the misconception that EINSTEIN should block every sophisticated cyber threat. Unfortunately, that is a false narrative, Matt Hartman, the deputy executive assistant director for cyber at the Cybersecurity and Infrastructure Security Agency, said in an interview with Federal News Network. He called EINSTEIN just one component of a layered defense.
Its a key piece and its success relies on information provided by commercial and intelligence community partners, he said. But its not going to pick up a novel supply chain attack that was designed for many months and executed in a matter of hours. For that reason, it must be complemented with other tools like those through the continuous diagnostics and mitigation (CDM) program and through cybersecurity shared services.
Understanding those layered defense concepts became more critical with the new cybersecurity executive order that President Joe Biden signed May 13. With dozens of new and expanded initiatives, lawmakers and agency leaders should heed the lessons learned from EINSTEIN and other governmentwide cyber programs: The need for flexible, iterative tools and capabilities. The White House needs to break down the DoD, intelligence community and civilian agency silos by not adhering to the old, not invented here mindset.
Karen Evans, the former administrator of e-government and IT at the Office of Management and Budget and former DHS chief information officer, said the combination of EINSTEIN, CDM, Automated Indicator Sharing (AIS) and other capabilities were laid out in the Comprehensive National Cybersecurity Initiative (CNCI) in 2008 during the waning days of the Bush administration.
Our goal was to connect the security operations center initiatives across government, Evans said. DoD, NSA, DHS and others were supposed to bring them altogether.
Evans is referencing paragraph 39 of the CNCI that called for a whole-of-government incident response capability.
Of course that never happened, so tools like EINSTEIN were left to fend for themselves.
A former DHS cybersecurity official, who requested anonymity because they didnt get permission to speak to the press from their current private sector job, said a common choke point for EINSTEIN was the inability of DHS to get consent from agencies to monitor their internet traffic.
Even once consent was reached, then it took time to schedule the cut overs onto the services. EINSTEIN versions 1 and 2 were easy. E3A was complex because it was inline and blocking. However, once those legal, privacy and technical hurdles were crossed, the later onboarding of agencies could move rapidly, the former official said. The big gap during my time was the lack of internal monitoring data security alerts from applications, servers, desktops and other endpoints. EINSTEIN can only see what data it is receiving. Cyber is about the whole picture. I dont think the question is about EINSTEIN as much as it is about whether the National Cybersecurity and Communications Integration Center (NCCIC) and U.S. Computer Emergency Readiness Team (CERT) are authorized and able to receive a much more comprehensive set of security event data.
Felker, the former DHS and Coast Guard cyber official, said creating a signature for a malicious code, testing that signature and putting it into EINSTEIN is not as easy as some would like to think.
Weve had this before where signatures ended up blocking mission critical activities even with testing. That made signatures challenging, he said. Add to that the fact that agency networks are not homogenous, it becomes a balancing act and a risk management act.
Once again, another executive order will try to break down those systemic barriers that prevented the NSA adding its capability to EINSTEIN. Congress and other administrations have attempted to do this through policy and laws, but few have succeeded in making real progress.
CISAs Hartman said its clear no entity can know everything. This was never more true than with SolarWinds, an instance in which FireEye alerted the intelligence community, CISA and others about the attack.
EINSTEIN is only as good as information it is receiving for both the intelligence community as well as from commercial partners to enable partners to build in load signatures into the system that can detect or prevent similar attack techniques, he said. There is a capability that is a part of EINSTEIN 3A, that is known as logical response aperture. This capability was developed as an initial attempt to utilize artificial intelligence and machine learning techniques with network-based data in an attempt to identify suspicious malicious data without prior intelligence that could be deployed in a signature-based detection and prevention capability. This is now deployed at two internet service provider locations within the National Cybersecurity Protection System EINSTEIN 3 architecture. Its been a valuable analytics platform, and, quite frankly, it is limited in its ability to detect verifiable malicious, network-based activity.
Hartman said CISAs plan is to focus this capability as a component of its analytical environment, providing one more toolset to review and determine potential and real threats.
Experts says what Hartman is describing is more about how CISA is changing than any one tool or capability.
Evans said CISA is a service provider with authorities from Congress and OMB to manage the results of the technology versus managing the tools themselves.
This is a culture change. What Congress is asking CISA is what do you need? and holding the DHS secretary accountable for delivering results, she said. The question that Congress and OMB have to answer is how far they want CISA to go to enforce and manage federal networks. That is the question.
Tom Bossert, the former Homeland Security advisor to President Donald Trump and now president of Trinity Cyber, said there are new capabilities, similar to the one NSA implemented so many years ago, that could provide greater benefit to agencies.
[Expanding NSAs tools] wasnt necessarily a missed opportunity by government or the private sector, but a reflection of where we stand today. We have mismatched capabilities and defenders have not made the necessary changes as offenders are far more nimble. There are major developments in how we access networks, the diversification of edge and cloud services and a significant amount of innovative technology that could be applied in a different way to prevent cyber breaches, Bossert said. We must find happy medium ground within our collective cyber industry. There is a resistance to innovation and there is a strong risk aversion to change because we are worried about unintended consequences.
Bossert added the latest cyber attacks have shown there is better interagency coordination and clarity of purpose, and that must continue as the threats evolve.
CISAs Hartman said he believes that EINSTEIN has met its original intent and much more. The capability routinely finds instances of anomalous activity that are confirmed and stopped.
We are constantly modernizing our portfolio of capabilities, he said. We are thinking about EINSTEIN, CDM, the cyber quality service management office (QSMO) and how to evolve all of those capabilities. The evolution is underway, and it will accelerate in the coming months as [a] result of new authorities under [the] 2021 defense authorization act and the funding from the American Rescue Plan Act.
See the original post here:
CISA's EINSTEIN had a chance to be great, but it's more than good enough - Federal News Network
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- USA: NSA leaker Snowden is a hero, say Washington protesters - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- The Mises View: Our NSA Economy | Mark Thornton - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA WHISTLEBLOWER - TOM DRAKE - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Rucka Rucka Ali Blurred Lines Parody Obama Been Watchin' NSA - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Umfrage: NSA-Spionage und die Bundesregierung | Politik direkt - So ticken die Deutschen - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA TARGETED OBAMA, CONGRESS, SUPREME COURT, & THEIR SPOUSES, CHILDREN - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Rand Paul My Reaction To Judge Ruling NSA Spying On Americans Illegal Is He's Exactly Right - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (5/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Dick Cheney Gets Awkward On Fox & Friends Over NSA Spying - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- February 2014 Breaking News Barack Obama Gun control NSA worldwide people control last day - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- CNET Update NSA spy games targeted World of Warcraft ! Byy Adana - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA Interception: Spy malware installed on laptops bought online - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Hacking is NSA's 'growth area,' Times says in agency profile! - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Judge Napolitano 'It's Time for Congress to Clip the NSA's Wings' - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Global Economic Crisis 2013 Economic Terrorism, NSA CIA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- THE CIA , FBI and NSA Spying Technology is Free and out in the open , DOWNLOAD IT NOW - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Budget 2014 Malaysia mystery NSA listening in - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA misrepresented the scope of its data collection - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA: the story of the summer - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Thinkerview - Interview B Bayart - Neutralit du net, CSA NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA Reveals Planned Police State - US to enter MARTIAL LAW - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Civil liberty activists say Obama's curb on NSA don't go far enough - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- NSA proof phone Case - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]