Development of advanced analytics that sort through Internet traffic looking for anomalies, even better reputation scoring of web links, and the potential for voluminous amounts of cyber threat data to be examined using a new automated information sharing system within and between the federal civilian government and private sector is creating new opportunities to take cyber security to a level that could put it ahead of cyber attackers and hackers, a Department of Homeland Security (DHS) official told sister publication Defense Daily.
“So as we augment what we get from the private sector…we can push out as much augmented data as we possibly can to then augment the systems that all these companies are using and building so that their innovation is now on, instead of just making data, it’s on how do I use it better,” Phyllis Schneck, deputy under secretary for Cybersecurity and Communications at the DHS National Protection and Programs Directorate, said in an interview on March 30. “This has some really nice far reaching consequences as far as how do we put cyber security companies back in the lead as far as innovation and what can you do new based on advanced math and computing.”
And by back in the lead Schneck means “ahead of the adversary.”
This ability to “crowd source behavior,” to take advantage of data across the federal government, and analyze it all is “one thing the adversary can’t do,” Schneck said.
On March 17 DHS turned on the computer servers that that officially deployed the Automated Indicator Sharing (AIS) system, which allows automatic sharing of cyber threat indicators at machine speeds between federal civilian agencies and on a voluntary basis with the private sector. The automated sharing of cyber threat data was called for in legislation approved by Congress in late 2015.
Currently cyber defenses work by detecting and preventing intrusions by known threat signatures, that is malicious code that may have successfully infiltrated one or more computer networks but once discovered can be made known to a wider audience so that the networks of others aren’t affected by the same virus. The AIS system is a means to improve the sharing of these threat indicators and to do so quickly.
“The term we use internally is ‘months to milliseconds,’ and it really talks about how do we react to understanding some malicious instruction is either trying to enter a machine or got there,” Schneck said.
The DHS capability used to help protect its own computer networks and those of the larger federal civilian government is called the National Cybersecurity Protection System, which is better known as the EINSTEIN platform. The platform, which hosts multiple software technologies to provide cyber security protections, provides situational awareness about inbound and outbound traffic on federal networks, detects known cyber threats, and in its latest addition, can detect and stop on known or suspected cyber threats.
Schneck said the situational awareness component of EINSTEIN has been useful in giving “us a fairly good picture of who is trying to get information into our agencies and where our agencies are connecting outbound.”
To make increasingly better use of what EINSTEIN enables, DHS is adding capabilities to the platform. One that Schneck mentioned is already widely in use in the private sector and that is reputation systems, which she said essentially allow risk rankings of Internet Protocol addresses and web links based on an examination of data obtained through the millions of security products deployed globally by various cyber security companies and by the federal government.
If there are a “whole set of addresses behaving really badly right now, they should all get a very bad score so when they try to send something to into a customer site of mine again, I’m going to alert the equipment that customer site has to protect their networks that this is coming from an address that has a really terrible reputation,” she said. What DHS can add to the equation and what Schneck said has “never been done before” is combine the threat and suspect data being obtained in the private sector “with data unique to the government.”
This is the “Holy Grail” in terms of data to build on for better cyber security protections, Schneck said. “So if something comes in for a machine that we’ve never seen before, so there would be no signature, but it comes in with a really terrible reputation, EINSTEIN can flag that.”
DHS is beginning to use reputation systems with EINSTEIN, Schneck said, adding that the department is rolling out this capability “methodically” and checking the results they’re getting.
Even cyber data obtained by the intelligence community can be scrubbed in unclassified ways to improve reputation scores that can be shared with the private sector through AIS and in EINSTEIN, Schneck said.
Another capability that DHS wants to layer into EINSTEIN is advanced analytics that uses math to take advantage of all the data that is collected and served. Suzanne Spaulding, the director of NPPD, said at a conference in March hosted by New America Foundation that the department is pilot testing a system that can detect cyber threat signatures never seen before.
Schneck said this is a long-term pilot is focused on analyzing the data at various customer sites to find patterns in the inbound and outbound traffic to find anomalies.
“So the overall point is DHS has moved beyond being dependent on a signature only technology,” Schneck said.
The Cyber Information and Sharing Act that Congress approved last December contains incentives in the form of liability protections for private sector companies and organizations to share cyber threat data with DHS.
Schneck said that turning on the AIS system and “getting the machines to talk” and share threat data quickly is one measure of early success with the system. Another is adding more partners to the AIS system to obtain “more value out of the shared information,” she said.
“Candidly trust is a big problem,” Schneck cautioned, saying that some companies have to be confident that DHS takes seriously the privacy and civil liberties protections that are mandated in the congressional legislation as part of the AIS. “Large private companies have a hard time with overseas manufacturing and sales if they have a big reputation for doing a lot of work with the U.S. government. Our job at DHS is to make sure that the world knows that we live and breathe privacy and civil liberties and in a time when it’s so hard to use the words and collect data, it’s so urgent to do so, so that we can put knowledge together so that we can do things like this just in the machine to machine space.”
A third and higher level of success will be the effect the information sharing environment has on boosting cyber security, Schneck said.