Homeland Security Makes Cybersecurity A Managed Service
Einstein 3 intrusion prevention system analyzes traffic to and from executive-branch agencies to block threats at the ISP level.
The Department of Homeland Security's Einstein 3 intrusion prevention system, launched last summer, raised the bar for security technology capable of operating at carrier-grade network levels, rather than just within the enterprise.
Einstein is a managed security service delivered through Internet service providers that serve executive-branch civilian agencies. Through a public-private collaboration, DHS provides custom signatures to federal agencies' ISPs to block malicious traffic, both incoming and outgoing.
Moving analysis of government Internet traffic to ISPs for security purposes was controversial when Einstein 1 was deployed in 2004, but it was merely an early step in what Tim Sullivan, CEO of security firm nPulse Technologies, said is the inevitable move of cybersecurity to a managed service.
"It's all going to move to the cloud," Sullivan said. The ability to centralize data analysis and other security resources is necessary in a threat environment that is increasingly complex and fast-moving, he said. "The reality is, malware will penetrate perimeter defenses," and incident response cannot afford to be constrained by local availability of tools and manpower.
The result is that security technology has to operate on carrier grade, or large scale, networks, with a high level of availability at multi-gigabit speeds. The latest release of nPulse's Capture Probe eXtreme (CPX), a high-speed packet-capture appliance that operates at a full duplex rate of 20 Gbps, is being used by ISPs to support Einstein 3 with high-speed searching and session reassembly and analysis.
DHS's Privacy Impact Statement says, "under the direction of DHS, ISPs will administer intrusion prevention and threat-based decision-making on network traffic entering and leaving participating federal civilian executive branch agency networks," or .gov traffic.
Initially deployed in 2004, Einstein 1 analyzed network flow records. In 2008, Einstein 2 added passive intrusion detection technology using custom signatures from federal networks to detect and report malicious traffic. The third iteration adds intrusion prevention capabilities, enabling ISPs, under the direction of DHS, to block threats. Einstein 3 began operating within DHS last July, and other departments began using the managed service throughout the summer, as ISPs were ready to offer it.
ISPs providing intrusion prevention services must segregate .gov traffic on their networks for analysis. For blocking traffic, ISPs will use domain name service (DNS) sinkholing to keep outgoing .gov traffic from communication with known or suspected bad domains by redirecting traffic to safe, sinkhole servers. Email filtering will scan incoming messages addressed to .gov networks, looking for malicious attachments, URLs, and other malicious content. Infected emails can be quarantined or redirected for further inspection and analysis by DHS.
The ability to inspect and analyze suspected malware requires high-speed capture and search capabilities, which is provided by nPulse's CPX 4.0. A fully saturated 10-Gbp/s link, (although no carrier operates at full saturation) would produce 200 terabytes of data in 24 hours. Searching this amount of captured data would take a little more than 8 minutes with the tool.
CPX was not developed for Einstein, Sullivan said, but reflects the growing requirement for carrier-grade security, both in and out of government.
William Jackson is a technology writer based in Washington, D.C., who specializes in telecommunications, networking, and cybersecurity in the public sector.
Mobile, the cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them (free registration required).
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.