November 14, 2013 INTRUSION DETECTION SYSTEM (IDS),INTRUSION PREVENTION SYSTEM (IPS)

Evaluating Einstein DHS 3

From what I’ve gathered, based on reading the various articles and interviews found on the web on Einstein DHS 3, I’m very perplexed.

I mean, I understand things in the government move slowly, but we’re in the year 2013 and these people are only just talking about implementing proactive real time IPS.  It’s a wonder that we’ve not had more major issues with our government networks, and that Chinese hackers haven’t been all over the place.

We need to be clear on one thing though – Einstein isn’t a commercially available system with commercially available signatures and algorithms such as those a private corporation could be purchasing.  There’s some of it in there (the DHS purchased commercially available software from TIBCO Federal as the base for this project), but according to what I’ve read, most of the signatures are specifically written by the US-CERT and, in the 3rd iteration being implemented now, some protection is also written by the NSA.

In a way, I wish we, in the private sectors, could have access to the same information and signatures; but I also do understand the reasons why some of these might be considered even secret.  For the most part, you may not want to let hackers know what you know about them, or that you’re even on to them.

It’s certainly a very important initiative, which will provide much needed enhanced protection to the government networks.  I only wish politics hadn’t gotten in the way, and the project had been developed far more rapidly. IPS should already be a thing of “today”, not one of tomorrow.

The articles about Einstein talk about deep packet inspection and active blocking as though this project invented those concepts.  Forgive me for being a party pooper but these are “old” concepts which we’ve been using for 10 years now.

In my opinion, the only real advantage this project has over what’s currently available in the private sector is the intelligence coming from the investigative agencies ~ this allows them to write protection signatures that the private sector doesn’t have.

It’s a big advantage though, and in light of the Presidential order on cyber security, it would be nice if, in some way, we in the private sector could benefit from all this intelligence being developed around Einstein – we don’t need the signatures, we need to be made aware of the threat so we can better protect ourselves, which will, in turn, benefit the government as well.