CISA experiments with cloud log aggregation to ID threats

The Cybersecurity and Infrastructure Security Agency has pilot programs underway with multiple departments and agencies to experiment with aggregating cloud logs to a warehouse which in turn will feed the agency's data analysis efforts.

CISA wants to "see if it's possible to send their logs to our aggregation point and make sense of them as a community together," Brian Gattoni, CISA's chief technology officer, said on Wednesday at an event hosted by FCW. "We've run pilots through the [Continuous Diagnostics and Mitigation] program team, through our capacity building team to look at end point visibility capabilities … to see if that closes the visibility gap for us."

So far what the agency has learned, Gattoni said, is that "technology is rarely the barrier. There's a lot of policy and legal and contractual and then just rote business process things to work out to make the best use of features in technology that are available to us."

Network visibility is a hot topic among government officials and lawmakers in the wake of the intrusions involving SolarWinds and Microsoft Exchange servers. CISA officials in public settings have made clear the government's current programs were not designed to monitor the vectors that Russian intelligence agents exploited during their espionage campaign.

At the same time, top intelligence chiefs such as Gen. Paul Nakasone, the head of the National Security Agency and U.S. Cyber Command, have warned foreign operatives are exploiting the fact the U.S. intelligence community is unable to freely surveil domestic infrastructure without a warrant.

Nakasone has also signaled he will not make any request for new authorities to monitor domestic networks, despite several lawmakers inviting him to do so.

This has prompted CISA to begin seeking out new capabilities that give the cybersecurity watchdog a clearer picture on individual end points in agency networks.

"For this reason, CISA is urgently moving our detective capabilities from that perimeter layer into agency networks to focus on these end points, the servers and workstations where we're seeing adversary activity today," Eric Goldstein, a top CISA official told House lawmakers at a March hearing.

Gattoni said during his panel discussion that some cloud providers already have the infrastructure built into their service that would aid CISA in gathering the security information it wants to aggregate, but he also said the federal government can't depend on that always being the case.

"There's a lot of slips between the cup and the lip when it comes to data access rights for third party services, so we at CISA have got to explore the use of our programs like [CDM] as way to establish visibility … and also look at possibly building out our own capabilities to close any visibility gaps that may still persist," he said.