CISA shifting focus to monitoring the insides of networks for cyberthreats

Agencies need to supplement the perimeter security that intrusion detection systems like EINSTEIN provide with capabilities that monitor the insides of networks ahead of future supply chain attacks, according to the head of the federal government’s lead cybersecurity agency.

EINSTEIN is the Cybersecurity and Infrastructure Security Agency‘s $6 billion program designed to examine internet traffic coming from outside of networks. But no intrusion detection system is capable of preventing a cyberattack like the SolarWinds hack, Brandon Wales, acting director of CISA, told senators during a Homeland Security Committee hearing Thursday.

CISA will use some of the $650 million in funding it received in the American Rescue Plan (ARP) Act to keep the parts of EINSTEIN that work and transition the rest to different programs, as it prioritizes detecting anomalous activity on unencrypted workstations and servers to respond to supply chain attacks faster, Wales said.

“There’s a lot that we need to do through the federal contracting process to ensure that the vendors providing IT products and services for the federal government have the appropriate level of cybersecurity in place, based upon the information and their place within the networks that they are supporting,” he said.

CISA is working with the Office of Management and Budget on that and spending ARP funds to develop better endpoint detection and response tools to block anomalous behavior before it moves broadly into a network, Wales said.

At the same time, CISA is attempting to fully implement its Continuous Diagnostics and Mitigation program after some agencies reported issues identifying and monitoring all devices on their networks.

“After the SolarWinds hack, likely perpetrated by the Russian government, our agencies were asked to self-analyze and review the effects of the attack, when many did not have the capability to do so,” said Sen. Gary Peters, D- Mich., chairman of the committee. “This haphazard approach made it extremely clear that our ability to respond did not match the severity of the crisis.”

Wales assured senators only a “small number” of agencies had issues deploying some CDM tools for asset, software and device management, and configuration and patch management.

Almost all parts of every agency have achieved a common CDM baseline as CISA aims to close out Phases 1 and 2 of the program in 2021, Wales said.

When CDM started, only agencies themselves had visibility into the devices on their networks. CISA did not.

“I think we are now seeing the limitation that poses on our ability to have a comprehensive understanding of the cyber risk picture of the .gov,” Wales said. “And we are hopeful that new guidance will come out of the administration soon that will move us toward CISA having broader and deeper insights into that level of detail and allow us to have the right level of visibility to execute our role when it comes to securing the .gov.”

In the immediate aftermath of the SolarWinds hack’s discovery in December, CISA provided agencies with cloud-based forensics to help them determine if their cloud environments had been compromised. The CISA Hunt and Incident Response Program (CHIRP) is a multi-function forensic scanning tool for detecting threat actor activity on vulnerable SolarWinds devices.

More recently CISA has used ARP funding to launch an informational website on best practices for remediating compromised systems with at least nine agencies compromised in the SolarWinds hack. Earlier this week CISA released detailed guidance for compromised agencies on evicting the adversary, thought to be Russia, from their networks.

“Our work is tailored for each agency depending on the types of support and requirements they have,” Wales said.