The Defense Information Systems Agency’s idea of protecting agency networks at the internet browser took four years to go from concept to reality.
DISA recently awarded a five-year, $199 million deal to now go from prototype to full production across the Defense Department.
Steve Wallace, the systems innovation scientist at the Defense Information Systems Agency, said the cloud based internet isolation (CBII) program could be the game changer many have been waiting for in cybersecurity.
“The way that we try to defend the end point and browser as a whole, there are a lot of challenges that go along with that. We have a lot of devices in the middle of the conversations between the browser and the service the browser is trying to get to, Wallace said on Ask the CIO. “The modern web page is way more than what it used to be. For instance, when you go to a simple search or news page, it’s typically around 6,000 to 8,000 lines of code downloaded to that end point and then processed by that browser, which means there is a device along the wire looking at that 6,000 lines of code looking for anything malicious. It’s very processor intensive and it’s only growing. The typical web browser is doing much more than it was even 5 or 10 years ago so we need to look at things differently.”
That need led DISA and others across the DoD to this concept of isolating the browser and the code it’s talking to in the cloud. DISA started looking at the CBII concept in 2016 and spent the last two years testing its theory.
“When the user is browsing the web, they get a traditional view. But what is actually happening is that browsing session is actually being rendered out in a commercial provider, outside of our network, and then a view of that browsing activity is brought back to our network. So they do not perceive any difference in performance,” he said. “In fact, as part of our prototype, we’ve heard there is a tremendous improvement in terms of performance because we’ve changed the way those bits are flowing to the end points without any of that malicious code coming back to the network.”
The CBII approach is protecting DISA and other military services and agencies not just at the browser level, but if a servicemember or civilian clicks on malicious link in an email, the malware remains in the cloud and isn’t brought back to the network.
Sherri Sokol, the program manager of the CBII program, said the technology demonstrated its value earlier this year when cyber experts warned of a zero day vulnerability in the browser. She said the parts of DoD using CBII didn’t have to worry about that threat.
“If you could imagine taking an organization as large as DoD and upgrade its browser in a matter of days and not have these zero days, it’s a huge paradigm shift,” Wallace said. “You don’t have to deal with how many versions of IE or Firefox or Chrome are running? Our presence to the outside world is one, and it’s the most updated version of the browser. So you are avoiding a lot of the zero days. You still have to maintain your stuff internally, but it definitely creates that separation that is going to be a big deal for us going forward.”
Moving CBII into production comes as the use of disruptive and brute force attacks are increasing across government. The 2019 Federal Information Security Management Act (FISMA) report to Congress says phishing, patch management and administrator’s password reuse are the top three risk and vulnerability assessments findings.
Sokol said DISA ran the prototype with 100,000 users across the Navy, Air Force and other defense networks over a year. She said DISA wanted to test the technology in the “real world” versus a lab. Under the initial pilot, two vendors provided the CBII technology and DISA randomly assigned the vendors to participants.
Wallace added when the pandemic hit, the CBII pilot became even more valuable.
“What we saw with the pandemic was a dramatically increased demand from our mission partners in this capability,” he said. “The bandwidth savings alone, we were able to remove about 50% of the bandwidth off of our virtual private networks because we were no longer back-hauling that traffic into the organization just to route it back out to the internet. We saw big improvements there. Our mission partners were able to use their browsers in different ways as they were doing a lot more with the outside world so they needed better and more reliable performance, and they are definitely seeing that here.”
Sokol credited user feedback and DISA’s own experience with CBII that really pushed the initiative into production.
“Now they have the ability to say this user or that user or a group of users or a location can access not just a domain but it could be as low as one specific video. That’s an interesting capability that the department gains,” she said. “We are going to start with those who have already indicated an interest. We know that because of COVID folks have been waiting for us to hit production to come on. We have the first couple of hundred thousand users who will probably come on in the next several weeks. Then we will start addressing a lot of the services who want to come on and that will take us through this year and most of next.”
DISA also is working with the cyber development directorate to sustain CBII for the long term. Sokol said the program eventually will move into that directorate to handle the addition of new capabilities and maintenance requirements.
Wallace added that one part of the prototype was to test how quickly DISA could bring on a new agency. He said in April they brought on about 60,000 users at a Defense organization in a matter of days.
“This technology space is fairly new. There are not a lot of complete deployments at this point. There are a lot of organizations looking at this. Just during the time we’ve looked at it, it started to grow quite dramatically,” Wallace said. “This platform gives us even better ways to measure success then what we had previously. There will be traditional means that you would use with a regular proxy like number of bad URLs licked or malicious downloads avoided and that kind of stuff. One of the most interesting statistics we have been able to get out of this is URLs that were good at time of click, but in a period of time after that go bad. A lot these proxies depend on reputation filters so you go to a URL and the reputation is strong, you can move on. But those are point–in-time sort of things. If you have a site that goes from good at time of click to bad, perhaps it was actually bad when the user clicked on it and the reputation filters hadn’t caught up yet. The benefit here is we are isolating the traffic so if it was bad, we prevented the user from downloading any of that code to the end point so if it was bad, we are not as concerned.”