Einstein (US-CERT Program)
   HOME

TheInfoList



OR:

EINSTEIN (also known as the EINSTEIN Program) was originally an
intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
that monitors the network gateways of government departments and agencies in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
for unauthorized traffic. The software was developed by the
United States Computer Emergency Readiness Team The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of ...
(US-CERT), which is the operational arm of the
National Cyber Security Division The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Inf ...
(NCSD) of the
United States Department of Homeland Security The United States Department of Homeland Security (DHS) is the Federal government of the United States, U.S. United States federal executive departments, federal executive department responsible for public security, roughly comparable to the I ...
(DHS). The program was originally developed to provide "
situational awareness Situational awareness or situation awareness (SA) is the perception of environmental elements and events with respect to time or space, the comprehension of their meaning, and the projection of their future status. An alternative definition is tha ...
" for the civilian agencies. While the first version examined network traffic and subsequent versions examined content, the current version of EINSTEIN is significantly more advanced.


Mandate

EINSTEIN is the product of U.S. congressional and presidential actions of the early 2000s including the
E-Government Act of 2002 The E-Government Act of 2002 (, , , H.R. 2458/S. 803), is a United States statute enacted on 17 December 2002, with an effective date for most provisions of 17 April 2003. Its stated purpose is to improve the management and promotion of electroni ...
which sought to improve U.S. government services on the Internet. EINSTEIN's mandate originated in the Homeland Security Act and the
Federal Information Security Management Act The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the eco ...
, both in 2002, and the Homeland Security
Presidential Directive A presidential directive, or executive action, is a written or oral instruction or declaration issued by the president of the United States, which may draw upon the powers vested in the president by the U.S. Constitution, statutory law, or, in cert ...
(HSPD) 7, which was issued on December 17, 2003. The Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology when the E-Government Act of 2002 designated it the primary incident response center. With FedCIRC at its core, US-CERT was formed in 2003 as a partnership between the newly created DHS and the
CERT Coordination Center The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/C ...
which is at Carnegie Mellon University and funded by the
U.S. Department of Defense The United States Department of Defense (DoD, USDOD or DOD) is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national secur ...
. US-CERT delivered EINSTEIN to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services. EINSTEIN was implemented to determine if the government was under cyber attack. EINSTEIN did this by collecting flow data from all civilian agencies and compared that flow data to a baseline. # If one Agency reported a cyber event, the 24/7 Watch at US-CERT could look at the incoming flow data and assist resolution. # If one Agency was under attack, US-CERT Watch could quickly look at other Agency feeds to determine if it was across the board or isolated. On November 20, 2007, "in accordance with" an
Office of Management and Budget The Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States (EOP). OMB's most prominent function is to produce the president's budget, but it also examines agency programs, pol ...
(OMB) memo, EINSTEIN version 2 was required for all federal agencies, except the Department of Defense and
United States Intelligence Community United may refer to: Places * United, Pennsylvania, an unincorporated community * United, West Virginia, an unincorporated community Arts and entertainment Films * ''United'' (2003 film), a Norwegian film * ''United'' (2011 film), a BBC Two f ...
agencies in the executive branch.


Adoption

EINSTEIN was deployed in 2004 and until 2008 was voluntary. By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in EINSTEIN and by 2007, DHS itself was adopting the program department-wide. By 2008, EINSTEIN was deployed at fifteen of the nearly six hundred agencies, departments and Web resources in the U.S. government.


Features

When it was created, EINSTEIN was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government." EINSTEIN does not protect the network infrastructure of the private sector. As described in 2004, its purpose is to "facilitate identifying and responding to cyber threats and attacks, improve network security, increase the resiliency of critical, electronically delivered government services, and enhance the survivability of the Internet." EINSTEIN was designed to resolve the six common security weaknesses that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. In addition, the program addresses detection of computer worms, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which US-CERT offers to U.S. departments and agencies on the "health of the Federal.gov domain". EINSTEIN was designed to collect session data including: *
Autonomous system numbers An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined ro ...
(ASN) * ICMP type and code *
Packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a fo ...
length *
Protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...
* Sensor identification and connection status (the location of the source of the data) * Source and destination
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
* Source and destination
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...
* TCP flag information *
Timestamp A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...
and duration information US-CERT may ask for additional information in order to find the cause of anomalies EINSTEIN finds. The results of US-CERT's analysis are then given to the agency for disposition.


EINSTEIN 2

During EINSTEIN 1, it was determined that the civilian agencies did not know the entirety of what their registered IPv4 space included. This was obviously a security concern. Once an Agency's IPv4 space was validated, it was immediately clear that the Agency had more external Internet Connections or Gateways than could be reasonably instrumented and protected. This gave birth to the OMB's TIC, Trusted Internet Connections" Initiative. Three constraints on EINSTEIN that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". An OMB "Trusted Internet Connections" initiative was expected to reduce the government's 4,300 access points to 50 or fewer by June 2008. After agencies reduced access points by over 60% and requested more than their target, OMB reset their goal to the latter part of 2009 with the number to be determined. A new version of EINSTEIN was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." The expansion is known to be one of at least nine measures to protect federal networks. The new version, called EINSTEIN 2, will have a "system to automatically detect malicious network activity, creating alerts when it is triggered". EINSTEIN 2 will use "the minimal amount" necessary of predefined attack signatures which will come from internal, commercial and public sources. The EINSTEIN 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. EINSTEIN could be enhanced to create an early warning system to predict intrusions. US-CERT may share EINSTEIN 2 information with "federal executive agencies" according to "written standard operating procedures" and only "in a summary form". Because US-CERT has no intelligence or law enforcement mission it will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.


EINSTEIN 3

Version 3.0 of EINSTEIN has been discussed to prevent attacks by "shoot ngdown an attack before it hits its target." The NSA is moving forward to begin a program known as “EINSTEIN 3,” which will monitor “government computer traffic on private sector sites.” (AT&T is being considered as the first private sector site.) The program plan, which was devised under the Bush administration, is controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials fear that the program should not move forward because of “uncertainty about whether private data can be shielded from unauthorized scrutiny.” Some believe the program will invade the privacy of individuals too much.


Privacy

In the Privacy Impact Assessment (PIA) for EINSTEIN 2 published in 2008, DHS gave a general notice to people who use U.S. federal networks. DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. The
Privacy Act of 1974 The Privacy Act of 1974 (, ), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintaine ...
does not apply to EINSTEIN 2 data because its system of records generally does not contain personal information and so is not indexed or queried by the names of individual persons. A PIA for the first version is also available from 2004. DHS is seeking approval for an EINSTEIN 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted. According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the
National Archives and Records Administration The National Archives and Records Administration (NARA) is an " independent federal agency of the United States government within the executive branch", charged with the preservation and documentation of government and historical records. It ...
and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted". As of April 2013, DHS still had no retention schedule but was working "with the NPPD records manager to develop disposition schedules". An update was issued in May 2016.


2020 federal government data breach

Einstein failed to detect the 2020 United States federal government data breach.


See also

*
National Security Directive National security directives are presidential directives issued for the National Security Council (NSC). Starting with Harry Truman, every president since the founding of the National Security Council in 1947 has issued national security directiv ...
* Managed Trusted Internet Protocol Service * ADAMS,
CINDER Cinder is an alternate term for scoria. Cinder or Cinders may also refer to: In computing *Cinder (programming library), a C++ programming library for visualization *Cinder, OpenStack's block storage component * Cyber Insider Threat, CINDER, a ...
(DARPA)


References


External links

* * * * * {{DEFAULTSORT:EINSTEIN (US-CERT Program) Computer security software United States Department of Homeland Security