DHS is Deploying Wrong Weapons for Cyberwar

Sunday, June 20, 2010

Richard Stiennon


Siobhan Gorman, writing at the Wall Street Journal tells us that a report from Richard Skinner, DHS Inspector General, will be presented to Congress today.  The report highlights troubles at US-CERT in particular turnover in leadership and severe understaffing.

The problem is not with US-CERT's administration it is with their impossible mission. There appears to be some belief within DHS and the inspector general's office that the secret Einstein project is somehow going to improve cyber security. 

Pointing fingers at slow deployment and lack of information dissemination is ignoring a more fundamental problem.

The Einstein project, authorized under the still classified portions of the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI), is a plan to deploy Intrusion Detection sensors (IDS) at all of the government's Internet gateways.

Even if US-CERT was fully staffed with three shifts to monitor and report on the alerts Einstein generated, even if all of the sensors were deployed, even if all of the information were distributed to every department and agency within DHS, the US would not be able to fight cyber attacks.

Let's review. IDS is a technology invented over 15 years ago. It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions.

Because the original deployments of IDS were just passive data collectors there was no impact on network performance from adding new signatures so the data base grew and grew and the logs IDS generated grew and grew to the point where even a mid-size organization would receive millions of alerts a day. 

IDS log management became a major problem that gave birth to two industries. Security Event Information Management (SEIM) and Managed Security Service Providers (MSSP). 

SEIM productsfrom companies like Arcsight attempt to prioritize alerts so that security personnel can focus on just the important events. MSSPs (Symantec, SecureWorks, BT) use SEIM products to make it even easier for a customer to handle the flood of alerts their IDS generates. 

To make the claim that they are effective MSSPs staff their SOCs (Secure Operations Centers) around the clock.  US-CERT has been tasked with becoming the MSSP for DHS.But do you see the problem here?

The only tool in DHS's chest is a monitoring tool.  Millions of alerts have to be filtered down. The continuous port scans, the worm traffic, the DDoS attacks, have to be winnowed down to something actionable.

And even if that were possible, attacks such as those seen by Google, the Dalai Lama's office, and the Pentagon, would still be effective.

I have been beating this drum since 2003 when I visited the Pentagon and in no uncertain terms informed them that they were wasting their money on IDS.

The ensuing public debate was well covered by the media but must have been missed by the framers of the CNCI.

Einstein is a waste of money and a distraction. Other than generating huge reports that highlight the levels of attacks targeting DHS it will do nothing to protect DHS networks.

There have been a lot of advances in network security technology since 2003.  It is time for DHS to get serious about security. 

* * *

Attention!  Richard Stiennon's new book, "Surviving Cyberwar" has been published:

After a five month period of editing, indexing, and finally printing, Surviving Cyberwar has been published by Government Institutes, an imprint of Scarecrow Press, a division of the Rowman and Littlefield company...

More: https://www.infosecisland.com/blogview/4336-Surviving-Cyberwar-Published-.html


Possibly Related Articles:
Post Rating I Like this!
Anthony M. Freed And the notion that the uptick in interest in cybersecurity by Congress is going to help the situation is naive at best.

Even the most cleverly worded legislation is more likely in the end to create administrative barriers to a nimble security protocol, and will undoubtedly add layers of compliance reporting requirements that are simply nothing more than glorified surveys with a big price tag.

Is that how we want to see security budgets grow - with more hoops to jump through, but no more resources for protecting systems in the trenches?

Only the free market can respond swiftly enough to combat current and emerging threats, and government efforts can best be made to ensure that private enterprise has the support and the latitude required to get the job done.
Tom Caldwell I concur on IDS/IPS failing to prevent or even help manage/predict cyber-attacks or other malicious activity. Many botnets controlled by foreign entities are already INSIDE our networks running IDS systems, to the tune of at least 100k 'active' infections running rampant across the DoD, Military, and Agency (including classified) networks. If they've already been identified using one method, even behind a router/firewall, then why stare at packets flying by (for identification) when the machine needs quarantined (IP cut off), cleaned, or even wiped? The management of these risks should be to cut off the IP addresses identified as capable of inbound or outbound attack (deny all). IDS doesn't prevent intrusion as it needs to identify it, and there are far better detection methods than trend analysis or packets. A current view of the federal networks in question easily prove this!

I foresee this as yet anther failure in the Federal evaluation/procurement process. This technology along with many others are an admitted failure in both cyber initiative documents published by the Bush and Obama Administrations respectively. We know these firewalls are limited by both undiscovered signatures, heuristic error, and connection analysis plus general processing limits [250k/sec per industry leading box up against a 10 million bot attack scenario]. It's obvious that racks of these boxes/appliances will not be effective or manageable in cyber-security or attack prevention scenarios [plus are a waste of budget funding]. They have failed, it's time to move on to new implementations with new detection/blocking/remediation methods. At a minimum they could at least integrate tech along with these legacy products since we know they won't quit what's "accepted" even though it's not comprehensive.

I concur that more public/private partnerships are need established to evaluate technologies designed as an endgame, or those which prove to easily identify, integrate, and shut down potential threats (inside and out) without disrupting the majority of network operations, data, or user activity.

Time and trials will tell when WE (as a community) push to replace these defunct and ineffective security implementations. As we all know, each security intrusion/attack leads to additional networks being attacked...thus we all suffer because of the aforementioned product/technology failures. We can't blame the uneducated, but they need to know it [IPS] comprehensively doesn't work, hasn't worked, and never will.
Pete Herzog Commercial vendors have been hawking ineffective products for years because people think they work. It's a placebo for digital frameworks. The more money they make on selling their worthless products the more they can advertise them until it seems like you NEED them to be safe. Meanwhile, this misinformation forms a foundation or "Body of Knowledge" in which other research and products are built from as they are accepted as truth. Soon you get many inaccuracies in your security estimates which are excused away with the many documented cases of security professionals who all learned from the same misinformation that perfect security is impossible to achieve. So it's no longer that the ruler they used is wrong but because the foundations for which security is today measured means that ALL the rulers used to measure security today are wrong. So you can't blame government workers when most all of the private sector are also making the same mistakes. Then using the right ruler you find that it's not just IDS. It's IDS, AV, Defense in Depth, passwords, patching, threat trees, risk analysis, and many of the battle cries taught today are wrong either in whole or in part. What the government is guilty of is maintaining ridiculous upgrades and patching because of support contracts that they need to fix the problems from the upgrades and patchings. Something for which the large commercial sectors have also been guilty.

The answer is in properly analyzing infrastructures for properly functioning operational controls and not for vulnerabilities. It's in creating result-focused controls rather than threat-focused controls. It's in stopping the use of risk analysis and other forecast hoodoo and instead use trust analysis which uses the facts of today and not the guesses of what tomorrow might bring. If the government changed their requirements to this, they would be way ahead of the game.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.