DHS EINSTEIN firewall fails to detect 94% of threats, doesn't monitor web traffic

GAO issued a harsh report following an audit of Homeland Security's $6 billion dollar EINSTEIN intrusion detection system.

Audit DHS EINSTEIN intrusion detection firewall fails to detect threats
Credit: David Guyler

When you think “Einstein,” something along the lines of smart probably comes to mind. But the Department of Homeland Security's $6 billion EINSTEIN intrusion detection system is closer to dumb than smart, as the firewall fails to scan for 94% of common security vulnerabilities; it doesn’t even monitor web traffic for malicious content! That is supposed to be coming in 2016, with wireless network protection coming in 2018.

The newest failings of EINSTEIN, aka the National Cybersecurity Protection System (NCPS), came after an audit and are highlighted in a harsh U.S. Government Accountability Office (GAO) report (pdf) which outlines a plethora of changes that need to be implemented.

The GAO tested the EINSTEIN system by trying to exploit 489 known vulnerabilities in the apps most commonly used on government computers: Adobe Acrobat, Adobe Flash, Internet Explorer, Java and Microsoft Office; EINSTEIN detected only 29, or 6%, meaning it didn’t stop 94%. That’s particularly depressing when you consider the system, which was first deployed in 2004, will cost about $5.7 billion by the time it reaches its full upgraded potential.

The system is signature-based and can detect malicious behaviors, or signatures, but only previously known patterns of malicious traffic. While it does scan email for potentially malicious activity, the system is “limited” and cannot detect “threats embedded in certain types of network traffic” – not malicious content in the cloud or web traffic. It is also limited in regards to detecting advanced persistent threats (APTs) by nation-state cyber-espionage hackers, although “the overall intent of the system was to protect against nation-state level threat actors.”

There are 228 intrusion detection sensors to detect malicious activity on .gov networks and 9,000 signatures in EINSTEIN, even though only about 2,300 of the signatures are enabled. DHS said EINSTEIN was only supposed to be signature-based and even agreed that some commercial intrusion detection systems used by federal agencies have more signatures than Einstein. DHS claimed “it is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy.”

Four years ago, when Mark Weatherford was the first deputy under secretary for cybersecurity at DHS, he talked about how EINSTEIN was re-engineered so it wouldn’t be falling behind the tech curve, and was pushed out “more broadly where all federal agencies can participate in it almost immediately.”

Except that it wasn’t really; the GAO found that of the 23 agencies which are required to implement EINSTEIN, only five trust it enough to use the system to detect possible intrusions. Additionally, the system was originally supposed to include “more robust” capabilities, but those were scaled back when EINSTEIN was re-engineered in 2012.

Despite EINSTEIN being “intended to deliver a range of capabilities, including intrusion detection, intrusion prevention, analytics and information sharing,” information sharing – and its actual usefulness – also needs work, as 24% of agencies reviewed didn’t receive notifications issued by DHS in fiscal 2014. The GAO report noted that only 56 of 74 notifications had been successfully received; those notifications were not always regarded as timely or useful, and some were false positives.

After the massive Office of Personnel Management breach was announced, EINSTEIN was credited with identifying the hack. That raised questions as to why it took so long for EINSTEIN to notice, which were answered by saying the intrusion predated EINSTEIN deployment. Yet it was later reported that the intrusion wasn’t first detected by EINSTEIN, something OPM refuted, but rather by a forensic product demonstration by CyTech Services.

Greg Touhill, DHS Deputy Assistant Secretary for Cybersecurity Operations and Programs, admitted last November that “Einstein 3 is really where we needed to be 15 years ago.”

So you may not feel comforted by Homeland Security Secretary Jeh Johnson's assurances issued in defense of EINSTEIN. “A year ago, EINSTEIN 3A protected only about 20% of the government,” he said. “At present, EINSTEIN 3A is in fact protecting 50% of the government and is now available to 100% of the government. And, to date, EINSTEIN 3A has blocked over 700,000 cyber threats.”

EINSTEIN has no way to detect zero-day flaws, as US-CERT said it doesn’t buy zero-day vulnerabilities. Whether or not that is going to change is unknown, as Johnson told his team to go ahead and “build capabilities that will allow us to detect never-before seen attacks.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.