CISA Shifting Einstein Detection System Deeper Into NetworksMove Away From Perimeter Designed to Help Agencies Battle Supply Chain Attacks
The U.S. Cybersecurity and Infrastructure Agency is moving its Einstein intrusion detection system deeper into federal networks to better detect supply chain attacks after its failure to spot the espionage campaign that targeted SolarWinds and its customers, including federal agencies, says Brandon Wales, the agency's acting director.
Moving Einstein deeper into federal networks, rather than just having it on the perimeter, will allow it to pick up data from endpoints, such as servers and workstations, Wales wrote in a letter to Sen. Ron Wyden, D.-Ore., who had posed questions about the SolarWinds incident.
The SolarWinds supply chain attack, which involved installing a backdoor in the Orion network monitoring platform that was downloaded by 18,000 users, led to follow-on attacks on nine federal agencies and 100 companies.
The Biden administration has accused Russia's Russian Foreign Intelligence Service, or SVR, of carrying out the cyberespionage operation (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
"CISA is urgently moving our detecting capabilities from the perimeter layer into agency networks to better focus on the endpoint security of items such as servers and workstations where adversaries are most active today, which is an approach consistent with leading trends in the cybersecurity industry as adopted by public and private organizations," Wales wrote.
Since the SolarWinds supply chain attack was detected by security firm FireEye in December 2020, Einstein has come under criticism by lawmakers in both parties for failing to detect the intrusion despite the federal government spending more than $6 billion on the system (see: Why Didn't Government Detect SolarWinds Attack?).
A CISA spokesperson declined to comment further about the Wales letter or the agency's time frame for adding these additional capabilities to the Einstein system.
Besides the update on Einstein, Wales noted in the letter to Wyden that federal agencies could have prevented follow-on attacks after the SolarWinds supply chain attack by using recommended firewall configurations, but he acknowledged that this is not always feasible.
"CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware," Wales wrote.
At a March hearing of the Senate Homeland Security and Governmental Affairs Committee, Wales testified that while Einstein was designed to analyze network traffic flowing into and out of federal networks, it would not have been able to detect a Trojanized software update, as was used in the SolarWinds attack. And because Einstein also cannot read encrypted network traffic, Wales said better endpoint detection was needed.
At that hearing, Christopher DeRusha, the federal CISO, told lawmakers that the federal government should implement the "zero trust" security model, which assumes networks have been compromised and focuses on authenticating identity when a user attempts to access a device, application or system.
One way to create a zero trust approach is to move Einstein deeper into federal government networks to pick up data and signals from endpoints. Wales noted in the letter to Wyden that CISA is currently using some of the $650 million allocated to the agency under the American Rescue Plan to make changes in Einstein implementations.
"CISA is urgently moving its detection capabilities from the perimeter layer into agency networks to better focus on endpoint security," Wales wrote. "This approach is consistent with leading trends in the cybersecurity industry as adopted by public and private organizations. The additional $650 million included in the American Rescue Act will enable CISA to rapidly accelerate the transition from a perimeter defense construct to a construct whereby agencies and CISA will be better situated to identify threat activity within federal networks in near real time."
An Essential Step
Moving Einstein deeper inside networks is essential to improving detection of the latest cyberthreats, says Jake Williams, a former member of the National Security Agency's elite hacking team.
"The idea behind Einstein was to [monitor] a ton of network traffic and hopefully find badness there. This comes from a background of intelligence analysis where network access is far easier than endpoint access, so they built what they knew," says Williams, who's now the CTO of the security firm BreachQuest, which he co-founded.
"With ubiquitous encryption and the widespread use of file synchronization tools - such as OneDrive - detecting threats purely from the network will become increasingly difficult, if not impossible. It's not to say that network data isn't important; it absolutely is. But you need endpoint data to contextualize so much network data that's seen today."