CISO Perspectives: Deep packet inspection

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The Way Forward: Essential Steps for Strategic Planning Success
Presented By Euna Solutions
Download Now
 

Connecting state and local government leaders

By

Commentary: Harnessing the power to interrogate inbound traffic for sensitive federal networks is the right thing to do. But why then has it taken federal CISOs so long to make the DPI plunge?

Related Links

CISO Perspectives | Securing virtual government environments

CISO Perspectives: The Einstein Program

Deep packet inspection is the capability to "see" content, not just headers, of network traffic. Its importance is in the ability to detect malware attack payloads buried in otherwise legitimate packet contents. These are the kinds of attacks that may carry rootkits and other dangerous techniques. The tools to prevent these kinds of attacks are on the market, but are under utilized in the Federal space. Rootkits are all over our networks. This article will discuss how the lack of centralized management of security operations across all business units is contributing to this significant problem facing agency CISOs.

This is the second of three commentary articles written for GCN by a group of writers who make up the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau. The Bureau includes volunteer federal information security experts from government and industry. A full list of Bureau members can be found here.

Deep packet inspection (DPI) is a technical process for
examining and interrogating the header information as well as the
payload of network traffic as it traverses network demarcation
points. It has become an essential tool for identifying the
presence of viruses, spam, rootkits, malware and other forms of
malicious logic or non-protocol-complying traffic--and deciding
whether to allow, deny or redirect selected traffic.


DPI actually merges Intrusion Detection System (IDS) and
firewall functionality into a single security engine that sits
'in-line' on the same device. Generally, the DPI engine
inspects each packet of data as it traverses the firewall, and
rejects or allows the packet based on predefined rules. Typically,
the DPI engine compares the packets against a set of rules, which
look at a combination of signatures, heuristics, as well as
statistical or anomaly-based logic.


Harnessing the power of DPI technology to interrogate inbound
traffic destined for sensitive federal networks and systems is
undoubtedly the right thing to do. Why then has it taken federal
CISOs (chief information security officers) so long to make the DPI
plunge? Unfortunately, the answers are not trivial; and sadly they
are often the same ones that plague technology implementations
across the federal government.


A robust DPI implementation presupposes a number of existing
conditions, some of which, unfortunately, continue to be major
challenges for chief information officers as well as CISOs. These
include:



  • Precise enumeration of all protocols and application traffic
    traversing federal networks
  • Centralized control and management of all network and security
    operations across the various operational units within large
    government agencies
  • A 'tipping of the scales' in the traditional
    compliance-vs.-risk model employed by most federal CISOs in the
    favor of risk over compliance
  • A pervasive reluctance to allocate sufficient budgetary
    resources to security problems.

Looking at each of these challenges more specifically:


Enterprise Enumeration


Ideally, large degrees of uncertainty should never exist in
dealing with precise protocols and application traffic traversing
federal networks. In reality however, the prevailing stove-piped
approaches to acquiring and deploying federal systems and
applications forces federal CIOs and CISOs into a constant reactive
state. This is due in part to their inability to quickly and
accurately gauge the traffic flowing across their networks. Among
the many downstream effects of this: CISOs have to be overly
cautious to ensure the proper degrees of due diligence before
enabling the 'Active Mode' configuration of their DPI devices.
Their fear: the possibility of self-inflicted denial of service,
whereby otherwise legitimate traffic could get blocked.


Lack of centralized control/management


Another challenge is the fact that the ownership, control,
management and maintenance of federal information technology assets
and operations does not typically fall within the direct and
immediate responsibility of federal CIOs/CISOs. Large government
agencies are still struggling to meet the spirit and intent of the
decade-old provisions of the Clinger-Cohen Act, and thus, the
governance of IT across the Federal enterprise remains disjointed
and fragmented. As a result, shadow IT organizations outside the
agency CIO organizations, resourced by and embedded within business
and functional organizations, are providing localized IT support.
The consequent lack of centralized control and management over
these disparate IT functions increases the technological and
organizational complexities involved in the deployment of
active-mode technologies such as DPI, among other challenges.


Compliance over Risk


As organizational entities, federal agencies are unquestionably
the most audited. An unintended consequence of the excessive audits
is that the dominant cyber security philosophy employed by most
federal CISOs now favors compliance management over true risk
management. Therefore, when asked to prioritize the allocation of
the meager budget dollars, many CISOs are left with little choice
but to allocate those against the highest compliance 'pain
points.'


From the perspective of frontline cyber security practitioners
or incident responders, DPI continues to hold much promise as a
technology that swings the incident response pendulum toward active
detection and response and away from passivity and reaction.


As with most technologies however, DPI is not without downsides
to adoption and deployment. The preponderance of DPI criticisms so
far has been anchored around potential civil liberties violations,
specifically expectations of privacy and net neutrality, i.e.
non-discrimination of packets and open access networks.


Despite the obvious appeal of DPI to federal CISOs in adding a
much-needed proactive layer to their otherwise passive
defense-in-depth security architectures, CISOs have been slow to
adopt DPI for a number of reasons. However, this will no longer be
an option for federal CISOs due to the latest requirements coming
from the White House in the form of the new 'Cyber
Initiative', created in response to recent surges in
increasingly complex and overly aggressive nation-sponsored cyber
attacks against U.S. Government and civilian network
infrastructures.


The most significant publicly disclosed component of the new
Cyber Initiative is the reduction of approximately 4,300 Internet
access points across the federal government, down to approximately
100 and the deployment of "Einstein" sensors on formally approved
federal government Internet access points.


Einstein (Versions I/II) is Department of Homeland Security
(DHS)-sponsored DPI technology that will be collecting information
about federal traffic flows; looking at source, destination,
protocol types, as well as payload data. The technical details of
how the information derived from these sensors will be consumed,
and by whom, is still held closely within the government. The jury
is still out, however, regarding Einstein's abilities to
provide the same degrees of instrumentation, scalability and
robustness in comparison to commercial DPI technology.



NEXT STORY: Authentication device reads palms, not passwords

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.