Eric Goldstein, the executive assistant director for cybersecurity at CISA, told members of the House Appropriations Subcommittee on Homeland Security on March 10 about the four areas the agency will focus on with the additional money.
“The first is the deployment of detection sensors within federal agencies to increase our visibility into cybersecurity threats in agency environments and figure out adversary activity much quicker to minimize these prolonged compromises that we’ve recently seen,” Goldstein said. “The second … is expanding our capacity for incident response and threat hunting, moving to that proactive hunting model. The third is improving our capacity to conduct analysis of cybersecurity information coming into CISA to understand risks and threats across the executive branch.”
Goldstein said the fourth focus area, which is more of a long-term goal, is changing the defensive network architecture of agencies. He said through zero trust principles agencies can drive security to their data and devices.
Goldstein said while the money will be impactful, it’s just a down payment on what agencies and CISA need to continue to deal with the ever-growing cyber threats they face.
The additional funding also comes as CISA is leading the federal civilian effort to mitigate two major cyber incidents — the SolarWinds attack and the vulnerabilities found in Microsoft Exchange email servers.
CISA released an emergency directive for both episodes with the latest coming March 3 to deal with the Microsoft threats.
CISA reiterated to lawmakers that the SolarWinds attack was extremely sophisticated and aimed at bypassing strong security controls. It impacted nine agencies, including the Justice Department.
No impact from Microsoft vulnerability, so far
Brandon Wales, the acting director of CISA, said the agency believes the SolarWinds attack was largely focused on espionage, targeting a couple of dozen agencies. He said, as of now, there is no evidence the bad actor did anything except steal information.
“We are working with individual agencies to assess the results of their forensic analysis,” Goldstein said. “At this point in time, there are no civilian federal agencies that are confirmed to be compromised by this campaign.”
But, Goldstein said CISA is working with agencies as they do forensic analysis and new information is coming in by the hour.
He called the agency response outstanding and the vast majority of servers have been mitigated across the civilian agencies.
CISA has plans to continue to expand and grow its capabilities to better deal with the next SolarWinds or next Microsoft risks.
Goldstein said an important piece to that future is the new authorities to do threat hunting across civilian agency networks, which Congress gave CISA in the 2021 Defense Authorization bill.
Goldstein said the agency plans to change its current approach to threat hunting to more rapidly detect intrusions.
“The way that incident response and threat hunting works historically is we would begin the response or hunting phase only when trigged by a compromise or possible breach,” he said. “What we want to move to is a paradigm where CISA is able to continuously assess security data from agencies on an ongoing basis for evidence of compromise, utilizing known and potential indicators of compromise, including advanced analytical techniques so we can get ahead of the adversary. Then the moment they intrude, we have a higher likelihood of catching them versus waiting, for example, they make a mistake and then we trigger an incident response.”
Goldstein said CISA hasn’t determined its approach for expanding its threat hunting capabilities. He said it may be a combination of models where CISA puts tools on networks to continuously analyze threat activity or work with agencies who will aggregate network security data that will let CISA analyze it continuously whether on premise or in the cloud.
He added in the coming months CISA will continue to develop its plans for the threat hunting initiative around people, tools and analytics.
CISA still must answer several important questions around how it will apply its new threat hunting authorities, including what will it mean for agency customers, what’s the actual process to analyze network traffic of other agencies and what role will agency chief information security officers play in shaping this effort.
Time to update EINSTEIN
The other big change that is coming is around the EINSTEIN intrusion detection and intrusion prevention tool.
While EINSTEIN would not have helped protect agencies from the SolarWinds attack or from the Microsoft Exchange issue, CISA recognizes the 17-year-old approach to cybersecurity needs to continue to evolve.
Goldstein said the current approach to EINSTEIN was designed to address cyber risks of a decade ago on the perimeter and now the threats are at the edge.
“CISA is urgently moving our detection capabilities from that perimeter layer into agency networks to focus on those end points, servers and workstations where we are seeing adversary activity today,” he said. “This is consistent with leading trends in the cybersecurity industry as adopted by public and private organizations of all types. We already have pilots in place to precipitate this important transition.”
While Goldstein didn’t offer any details on the timing of what is the new Einstein effort, since a lot of it depends on congressional funding, some of the $650 million likely is earmarked for the expansion of these capabilities.
Subcommittee members continued to support more funding for CISA, lauding their efforts for protecting federal networks. The big question that continues to come up was around the workforce and how Congress can ensure CISA is hiring and training its employees to be more effective.