“First, these guidelines provide federal agencies and the private sector with a clear understanding of how to share cyber threat indicators with DHS’s National Cybersecurity and Communications Integration Center (NCCIC), and how the NCCIC will share and use that information,” said DHS Secretary Jeh Johnson in a statement. “To address requirements of the new law, we improved our existing sharing system and added new capabilities. As a further incentive, the law provides companies with targeted liability protection for sharing cyber threat indicators with the Automated Indicator Sharing (AIS) system. I encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time. Today’s guidelines provide the private sector with clear guidance on how to participate and what to expect.”
Finally, the agency, as a part of the interim guidelines, released its initial take on the liability protections for industry called for under CISA.
The guidelines extend “liability protection to private entities for sharing of a cyber threat indicator or defensive measure conducted through the federal government’s capability and process operated by DHS.”
Andy Ozment, the DHS assistant secretary of the office of cybersecurity, said the netflow analysis capability under ECS and the new protections from CISA continue to build on the tools available to better secure federal and private sector networks.
In many ways, the expansion of ECS comes at a good time because the liability protections under CISA help promote the sharing of threat data.
“What we’ve seen over the last couple of years in using netflow for security use cases are things like beyond, ‘Hey, there’s a SQL backup job running in middle of day that shouldn’t and that is slowing down the net.’ We now can do more forensic device analysis. We can see there is a device infected with malware that’s communicating back with a command and control server or spreading to other parts of the network,” said Mav Turner, director of product strategy for SolarWinds, which provides cyber tools to the public and private sector companies. “Netflow now can identify abnormal behavior in the network. It can identify who is using apps that they shouldn’t be using, and also who is sending the most data out of the network. If the average user is sending 1 megabyte a day and you find another who is sending 700 MB or 1 gigabyte a day that leads to others questions or concerns.”
Turner said netflow analysis lets companies or agencies better understand the Internet protocol addresses that are communicating with their networks.
“It’s based on application ports so, for example, whenever you use a Web browser you use Port 80. It’s not going to tell you the contents of the traffic. But if you open a Web browser and go to a website, you can tell as an administrator that the user went to that website and sent or received a lot or a little bit of data to or from that website,” he said.
The type of data ECS partners, which includes four companies offering three services to the private sector, will provide is classified threat data based on information coming from law enforcement, intelligence and other federal entities.
Danny Toler, the deputy director of Federal Network Resilience at DHS, said the private sector partners can use the information in real time to protect customer networks, or after something has happened to understand the potential or real problems in more detail.
Toler said the data will help “determine just how deep the issues could’ve been at the time, where did they go in the company’s network, what might have been taken so it could be used for after the fact forensic capabilities as well.”
Ozment said a good analogy for what netflow analysis does is the guard house on the road entering a company’s facility. He said DHS is giving classified information to that guard company to stop someone from entering the facility.
Turner said he was a little surprised that DHS was just adding netflow analysis capability now to ECS. He said a lot of companies and agencies already are using this tool.
“There are advantages to rolling this out across an entire agency versus individually in each office or bureau. The service providers are positioned to know where the traffic is going, so it makes sense to position it with them,” he said. “A lot of these agencies are using netflow analysis today, but this makes it easier to get data and retain historical data. One of things you do with netflow for non-security uses is you sample it down so you don’t capture every conversation, but maybe 1 out of 10 packets is a good sample for bandwidth cases, for instance. But with security, that’s not the case because every conversation is critical so data retention becomes more of an issue.”
Turner said if agencies or organizations don’t have netflow capabilities today, they will benefit significantly from it.
Ozment said DHS went with other capabilities under ECS first based their analysis with the providers on what made the most sense and was most valuable for the private sector and government.
“I think it’s important to recognize the distinguishing capability of ECS — which is that it uses classified government information. The goal is not to compete with other commercial services that are being offered unless perhaps one of these middle men can package it together if they want to do that. But our goal is how do we best take advantage of government classified information so the private sector can take advantage of it and be better protected,” Ozment said. “Why did we start with the protection we started with? One was the type of classified information we had. The other was what we saw as the most significant threat vectors and how to block it. So we started with two other capabilities that we viewed as higher priority. This capability actually came about because a commercial service provider, one of these middle men, talked to their customers and wanted to add this capability. And that is great because as much as possible we want this to be driven by the needs of the end customers who are being protected and the market forces.”