Very interesting article recently on Forbes.com by Richard Stiennon about the weapons that the US is deploying to fight Cyber War. Richard is the founder and Chief Research Analyst at IT-Harvest and the author of the recently released book “Surviving Cyber War“.
According to Richard, the US is relying on 15 year old technology to defend the US. The much vaulted “Einstein” project may not be the right choice to secure our digital borders. Yes, future version supposedly will have auto defense capabilities, but currently the technology still relies on Intrusion Detection.
IDS is a technology invented over 15 years ago. It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions. Because the original deployments of IDS were just passive data collectors there was no impact on network performance from adding new signatures so the data base grew and grew and the logs IDS generated grew and grew to the point where even a mid-size organization would receive millions of alerts a day.
Herein lays the problem. The Einstein system or any signature detection based system has to filter through massive amounts of packets to look for suspicious activity. In this huge river of data, you have legitimate user traffic, normal system communications, and transactions along with the malicious traffic. In analyzing this data you receive a large amount of false positive alerts along with real threats. Human analysts are required to sift through the alerts and try to determine the false alerts from the foreign national hacker with nefarious intentions. According to Richard:
The only tool in DHS’s chest is a monitoring tool. Millions of alerts have to be filtered down. The continuous port scans, the worm traffic, the DDoS attacks, have to be winnowed down to something actionable. And even if that were possible, attacks such as those seen by Google, the Dalai Lama’s office, and the Pentagon, would still be effective… Einstein is a waste of money and a distraction. Other than generating huge reports that highlight the levels of attacks targeting DHS it will do nothing to protect DHS networks.
It looks like the US may need to look in a new direction to defend government systems. But if signature based intrusion detection is out, what do you replace it with?