Einstein 3 goes live with automated malware blocking
Connecting state and local government leaders
The government's new intrusion prevention system will not only detect malicious traffic but stop that traffic before it does harm.
Einstein 3 is scheduled to go live on July 24 when the first department turns on the new intrusion prevention system at 7 p.m.
Einstein is a managed security service provided through the Department of Homeland Security and Internet service providers, offering intrusion protection and prevention for all executive branch civilian agencies. Initially deployed in 2004, it has advanced from network traffic analysis to intrusion detection. The latest iteration adds automated blocking of malicious traffic to its capabilities.
The announcement of the first activation of Einstein 3 was made by Roberta Stempfley, acting assistant DHS secretary of the Office of Cybersecurity and Communications, at the MeriTalk Cybersecurity Brainstorm conference in Washington, D.C.
Stempfley said she could not identify the department turning on the service but said the second department would be Veterans Affairs, which will come onboard in mid-August. Einstein 3 is ready to go to work on some ISPs, she said, and departments and agencies will be brought in as the cutovers can be scheduled with both the agencies and their service providers.
The launch of Einstein 3 continues the effort to automate security. The first version of Einstein analyzed network flow information from participating agencies to provide a high-level view for observing potential malicious activity. Its second iteration, Einstein 2, launched in 2008, is a passive, automated system that incorporates intrusion detection based on custom signatures of known or suspected threats. It relies primarily on commercial tools and is able to alert US-CERT of malicious activity. Einstein 2 now is deployed at 17 of 18 agencies that are using a Trusted Internet Connection provider and at 52 other agencies using Managed Trusted IP Services (MTIPS) under the Networx contract. It is expected to be deployed at 70 percent of executive branch agencies by the end of the fiscal year, as legacy networking contacts expire and more agencies move to MTIPS.
Einstein 3 will not only detect malicious traffic on government networks but stop that traffic before it does harm. Under DHS direction, service providers will provide decision-making capabilities on malicious traffic based on threat indicators developed for the ISPs by the DHS Office of Cybersecurity and Communications. Agencies enter into agreements with DHS to authorize use of intrusion prevention capabilities through service providers.
The threat indicators can be based on traffic metadata, including IP addresses and packet payload, which can require deep-packet inspection by Einstein 3. DHS’ intent is to keep indicators specific enough to ensure the privacy of legitimate traffic.
ISPs providing intrusion prevention services must segregate .gov traffic in their networks for analysis. Four contracts for this function have been awarded to service providers. For blocking traffic, ISPs will use Domain Name Service sinkholing to keep outgoing .gov traffic from communication with known or suspected bad domains by redirecting traffic to safe, sinkhole servers. E-mail filtering will scan incoming mail addressed to .gov networks for malicious attachments, URLs and other malicious content. Infected e-mails could be quarantined or redirected for further inspection and analysis by DHS.
Stempfley said Einstein 2, which provides only intrusion detection, has proved its worth.
“We find it to be very helpful,” she said, providing information that enables analysts to spot and respond to attacks. “We’re not turning it off.”