More than six months after a disastrous supply chain attack, the US Cybersecurity and Infrastructure Security Agency announced plans to expand the use of its Einstein intrusion detection system by moving it deep into federal networks.
The move follows a March hearing of the Senate Homeland Security and Governmental Affairs Committee where CISA director, Brandon Wales, explained that Einstein wouldn’t have been able to detect a Trojanized software update like the one that was used in the SolarWinds attack last December. As such, better endpoint detection was required.
In a letter to Senator Ron Wyden, the CISA chief wrote that “this approach is consistent with leading trends in the cybersecurity industry as adopted by public and private organizations.”
“The additional $650 million included in the American Rescue Act will enable CISA to rapidly accelerate the transition from a perimeter defense construct to a construct whereby agencies and CISA will be better situated to identify threat activity within federal networks in near real-time,” the letter reads.
Late last year, the security firm FireEye detected an ongoing supply chain attack aimed at SolarWinds. The attack affected 18,000 users and disrupted nine federal agencies along with hundreds of companies across America. This was made possible thanks to an installed backdoor, supposedly something that Einstein’s intrusion detection algorithms would’ve caught if the system had access to the endpoints on servers and workstations.
Naturally, Einstein, a $6 billion investment by the federal government, is on the receiving end of a lot of flak. Many critics believe a system this expensive should’ve worked even without deeper network access, but the CISA disagrees. According to Wales, better cyber hygiene could’ve prevented the attack. He claims that if SolarWinds’ outbound connection was blocked, that would be enough to avert the crisis. This sparked a fierce debate in the world of professional cybersecurity and a lot of finger-pointing.
Even though experts can’t agree on the best approach and prevention methods for these types of attacks, they agree that there is no silver bullet. All parties should therefore work on improving their own policies and advancing data loss prevention tools, as opposed to relying on Einstein to detect and handle zero-day threats.