The IT Law Wiki

Overview[]

EINSTEIN is a system to detect and report network intrusions. It supports Federal agencies' efforts to protect their computer networks. EINSTEIN monitors participating agencies' network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information at agency gateways, EINSTEIN gives government analysts and participating agencies a big-picture view, synthesized of potentially malicious activity across Federal networks.

EINSTEIN helps identify configuration problems, unauthorized network traffic, network backdoors, routing anomalies, network scanning activities, and baseline network traffic patterns. It enables rapid detection of cyber attacks affecting agencies and provides Federal agencies with early incident detection.

One limit on Einstein is that it has to have seen and analyzed the malicious traffic before, rather than being able to identify novel malicious traffic at first encounter — EINSTEIN can only block known threats.

Background[]

Before EINSTEIN was introduced, federal agencies reported cyber threats to the Department of Homeland Security (DHS) manually and on an ad hoc basis.[1] It was usually done after the agency systems were affected by the attack. To remedy this, DHS, in collaboration with the National Security Agency (NSA), created EINSTEIN. EINSTEIN's mandate derived from a combination of statutes, presidential directives, and agency memoranda. The first mandates for EINSTEIN came in 2002 with the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7.[2] In 2007, the Office of Management and Budget required all federal executive agencies to develop a comprehensive plan of action to defend against cyber threats.[3] Coinciding with these statutory and administrative directives, DHS and NSA launched EINSTEIN in three phases, each increasingly more sophisticated than the last.

Developments[]

EINSTEIN 1.0[]

Department of Homeland Security rolled out EINSTEIN 1.0 in 2004 to automate the process by which federal agencies reported cyber threats to the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of DHS's cybersecurity division.[4] Under EINSTEIN 1.0, federal agencies voluntarily sent "flow records" of Internet network activity to DHS so it could monitor the Internet traffic across the federal .gov domain. These flow records included basic routing information such as the IP addresses of the connecting computer and the federal computer connected to.[5] US-CERT used this information to detect and mitigate malicious activity that threatened federal networks. This information was shared with both public and private actors on the DHS website.[6]

EINSTEIN 2.0[]

In an effort to upgrade EINSTEIN's capabilities, DHS launched EINSTEIN 2.0, which is capable of alerting US-CERT of malicious network intrusions in near-real time.[7] Sensors installed at all federal agency Internet access points make a copy of all network activity coming to and from federal networks, including addressing information and the content of the communication.[8] These data are later scanned for the presence of "signatures," patterns that correspond to a known threat, such as denial of service attacks, network backdoors, malware, worms, Trojan horses, and routing anomalies.[9] The system triggers an alert when it senses malicious activity. All the data corresponding with the trigger, including the content of the communication, are saved.[10] Personnel at US-CERT then analyze the stored messages and act accordingly.

EINSTEIN 3[]

In 2010, DHS began testing EINSTEIN 3 on one federal agency.[11] In addition to detecting cyber threats, this newest iteration also is designed to block and respond to these threats before any harm is done.[12] US-CERT is also testing the ability of EINSTEIN 3 to provide real-time information sharing with other federal agencies and the NSA.[13]

References[]

Source[]

See also[]