While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
What if federal agencies could do more than just react to cybersecurity threats and data breaches and actually get out in front of them? That’s the world the Department of Homeland Security (DHS) wants for the executive branch.
The use of predictive security tools, security intelligence and DHS’ Continuous Diagnostics and Mitigation (CDM) program could help agencies get there, according to federal officials who spoke this week on a panel at MeriTalk’s Cybersecurity Brainstorm conference in Washington, D.C.
The officials on the panel noted that there is no silver bullet for predictive defense and that agencies need to take a multipronged approach. Mark Kneidinger, director of the federal network resilience division at DHS, said that there are several programs already in place to help agencies be proactive in responding to cyberthreats.
One is Automated Indicator Sharing (AIS), which enables the federal government and private sector entities to exchange “cyberthreat indicators” (e.g., malicious IP addresses, phishing emails) at machine speed. Under provisions of the Cybersecurity Act of 2015, agencies must implement AIS by the end of October.
Kneidinger said AIS provides agencies “threat indicator information that normally the government agencies would not be receiving because they’d be coming from the nonfederal community.” He said that so far more than 29,000 cyberthreats have already been identified and have been shared with agencies participating in the program.
“AIS participants connect to a DHS-managed system in the Department’s National Cybersecurity and Communications Integration Center (NCCIC) that allows bidirectional sharing of cyber threat indicators,” DHS notes. “A server housed at each participant’s location allows them to exchange indicators with the NCCIC. Participants will not only receive DHS-developed indicators, but can share indicators they have observed in their own network defense efforts, which DHS will then share back out to all AIS participants.”
“So that’s a key predictive defense because basically it’s providing the additive information from a defensive perspective, so you understand what the threats are that are coming forward,” Kneidinger said.
Another program is DHS’ Einstein system, specifically Einstein 3 Acccelerated (E3A), which agencies need to implement by year’s end. In 2012, DHS started partnering with major Internet Service Providers (ISPs) so that they could provide intrusion prevention security services for federal civilian agencies using widely available commercial technology.
“The first part of Einstein basically was to take a look at what’s occurring within the environment,” Kneidinger said. “The second part of Einstein then took a look at what should not be occurring. And then the third part, or E3A, is stopping those situations.”
The third major program is CDM, which is designed to provide federal departments and agencies “with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
Kneidinger said an element of CDM is a federal dashboard that will provide a cross-government perspective of threats and then be able to push down adjustments, risk management controls and indicators to the agency level “so we can assist the agencies in not only understanding what are some of the primary threats that are there, but also the varying threats because of the trends analysis.”
DHS can help agencies identify their “high-value assets,” mission-critical data that needs to be protected at all costs. Doing so allows agency leaders to prioritize their cybersecurity efforts, Kneidinger said, but they need the technology and policy infrastructure in place to do so.
Rod Turk, the Commerce Department’s CISO, said on the panel that “the risk of the loss of that data is what you ought to be considering as you apply your cybersecurity tools.”
Agencies have flexibility in determining what kinds of tools they want to deploy and for how long. For example, he said, a dynamic execution environment in a moderate-risk system is an optional control.
“But I would submit that in today’s world, where a huge threat vector is phishing attempts, it would be wise to consider making that control mandatory across the enterprise so that you can address that phishing situation with an automated tool,” Turk said. “So assessing the risk, and then creating that risk profile and that risk solution set related to the controls is, I think, one of the solutions to moving forward.”
Turk said Commerce has developed its own Enterprise Security Operations Center, which gathers information from all of the department’s bureaus and puts them into a common database. Then the department can analyze that data and “hopefully provide predictive statistics and data that we can use for our bureaus, as well as provide to the NCCIC, to the greater federal database and federal instance there,” Turk said. He added that Commerce is also coordinating, via wireless machine-to-machine communications, with DHS’ NCCIC, to share threat information and indicators “at machine speed.”
“If we see something, if we see a potential threat, we can provide that information to DHS so that they can then can then analyze that and provide an analysis and information sharing across the federal government,” Turk said.
Meanwhile, Tim McBride, director of operations for the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, said that for the past eight months NIST has been working with DHS on an assessment methodology for CDM.
Kneidinger said that ongoing work has been very helpful. He added that many agencies see CDM and a broader information security continuous monitoring (ISCM) plan as one and the same, but he contended they’re not; CDM, he says, is just one element of an ISCM program. Agencies need to focus on adopting ISCM technology, using it, being ready to respond to threats and sustaining the program long term, he added.
Yet Turk said that for Commerce, “the centerpiece of our ISCM is the CDM program. While there are other pieces to it, CDM is an integral part of it. The Department of Commerce is all-in when it comes to CDM.”