In search of a smarter Einstein
Einstein is the Department of Homeland Security’s intrusion detection system. It observes traffic flowing in and out of federal networks, allowing the government to target threats identified by a database of known malware. That makes it unlikely Einstein ever could have detected the malware implanted into SolarWinds Orion because it was delivered to agency networks through a trusted update.
However, overhauling Einstein to identify unknown or zero-day threats would be far too costly, cybersecurity analysts said. The most viable path forward, they argued, would be to install new capabilities, necessarily bolstered by private industry.
Kiersten Todt, formerly executive director of the Commission on Enhancing National Cybersecurity, was blunt about Einstein’s record. “There are no real strong success stories of Einstein,” she said. “When you look at what happened with SolarWinds, they essentially outsmarted Einstein.”
“The challenge with detecting activity like the SolarWinds hack is that the hack is accomplished through ‘authorized’ malware,” said Philip Reitinger, president and CEO of the Global Cyber Alliance.
To detect that malware, a defensive system would either have to deny all communications that are not explicitly whitelisted or establish a user activity baseline capable of singling out abnormalities for investigators to pursue. “That can be difficult to do and resource intensive,” he added.
Michael Hamilton, a former vice chair for a government coordinating council focused on critical infrastructure protection, described a similar method as the most likely way forward for DHS to improve Einstein. Although its precise capabilities are classified, Hamilton speculated the program’s age — Einstein was originally developed in 2003 — is a sign it may not be baselining user activity in the way he and Reitinger described.
Hamilton said that “it’s not likely they throw it out and start over,” noting the program’s sunk costs. “My understanding is that it cost $6…