CISA experiments with cloud log aggregation to ID threats

cloud data (CoreDESIGN/ 

The Cybersecurity and Infrastructure Security Agency has pilot programs underway with multiple departments and agencies to experiment with aggregating cloud logs to a warehouse which in turn will feed the agency's data analysis efforts.

CISA wants to "see if it's possible to send their logs to our aggregation point and make sense of them as a community together," Brian Gattoni, CISA's chief technology officer, said on Wednesday at an event hosted by FCW. "We've run pilots through the [Continuous Diagnostics and Mitigation] program team, through our capacity building team to look at end point visibility capabilities … to see if that closes the visibility gap for us."

So far what the agency has learned, Gattoni said, is that "technology is rarely the barrier. There's a lot of policy and legal and contractual and then just rote business process things to work out to make the best use of features in technology that are available to us."

Network visibility is a hot topic among government officials and lawmakers in the wake of the intrusions involving SolarWinds and Microsoft Exchange servers. CISA officials in public settings have made clear the government's current programs were not designed to monitor the vectors that Russian intelligence agents exploited during their espionage campaign.

At the same time, top intelligence chiefs such as Gen. Paul Nakasone, the head of the National Security Agency and U.S. Cyber Command, have warned foreign operatives are exploiting the fact the U.S. intelligence community is unable to freely surveil domestic infrastructure without a warrant.

Nakasone has also signaled he will not make any request for new authorities to monitor domestic networks, despite several lawmakers inviting him to do so.

This has prompted CISA to begin seeking out new capabilities that give the cybersecurity watchdog a clearer picture on individual end points in agency networks.

"For this reason, CISA is urgently moving our detective capabilities from that perimeter layer into agency networks to focus on these end points, the servers and workstations where we're seeing adversary activity today," Eric Goldstein, a top CISA official told House lawmakers at a March hearing.

Gattoni said during his panel discussion that some cloud providers already have the infrastructure built into their service that would aid CISA in gathering the security information it wants to aggregate, but he also said the federal government can't depend on that always being the case.

"There's a lot of slips between the cup and the lip when it comes to data access rights for third party services, so we at CISA have got to explore the use of our programs like [CDM] as way to establish visibility … and also look at possibly building out our own capabilities to close any visibility gaps that may still persist," he said.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Workforce
    online collaboration (elenabsl/

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected