New funding recently provided by Congress for cybersecurity efforts as part of a larger COVID-relief package is accelerating work underway and also being put toward requirements development to bring cyber threat detection and response capabilities to endpoints, an official with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) said on Wednesday.
There is a focus now on endpoint threat detection and response and CISA is working within the agency and with other federal agencies on those requirements and the “overall architecture,” Kevin Cox, CISA’s outgoing program manager for the Continuous Diagnostics and Mitigation (CDM) program, said during a virtual cybersecurity conference hosted by MeriTalk.
Cox is leaving CISA later this month to become the deputy chief information officer at the Department of Justice. DHS hasn’t named a replacement for him.
The Biden administration sought and received $650 million for CISA in the $1.9 trillion American Rescue Plan that was signed into law on March 11. Cox said that some of the funding for the CDM program is also going to accelerate work underway in the areas of identity and access management, and cloud security.
Following the disclosure last December and subsequent analysis of a software supply chain security breach that has impacted nine federal departments and agencies and about 100 private sector organizations, Congress and DHS are putting a greater focus on making sure federal cyber defenders have greater visibility of potential threats inside of networks.
In the case of the supply chain attack, Russia’s foreign intelligence service was able to breach a software product supplied by the network management company SolarWinds Inc. [SWI] by having the malware inserted via routine patches and updates to the software. This way, the hackers bypassed the perimeter and entered unsuspecting networks essentially through trusted connections.
Brandon Wales, the acting director of CISA, testified to Congress in March that DHS’s marquis perimeter intrusion detection system, known as EINSTEIN, couldn’t have detected the attack vector used in the SolarWinds incident. He told various congressional committees this spring that while EINSTEIN still has a purpose, there will need to be a rebalancing of resources withing CISA toward CDM, which is meant to provide greater visibility into the networks of federal civilian agencies.
“We need to move deeper into networks,” Wales told the Senate Homeland Security and Governmental Affairs Committee on Tuesday. “So, an event like SolarWinds you’re never going to detect at the perimeter. You’re never going to detect at the edge. You need to be looking on individual hosts, on individual servers and workstations for when those start to behave in anomalous fashions.”
Deploying endpoint threat detection and response tools on devices inside of networks will provide “deeper insight into what’s happening there and be able to alert and cue us more quickly to incidents like this,” he told the panel.
Other security improvements include network segmentation, architecture and configuration, and zero-trust, Wales said, noting while there “is no silver bullet,” adding more layers of security complicates the task of attackers, reduces their chances of success, and makes it likelier that they will be detected.
Wales said many agencies have begun deploying endpoint detection tools. The stimulus funding will enable these tools to be deployed faster and to more agencies, he said.