Einstein (US-CERT Program) - Einstein 2

Einstein 2

During Einstein 1, it was determined that the civilian agencies did not know what their IP space was. This was obviously a security concern. Once it was determined what an Agency's IP looked like, it was immediately clear that the Agency had more IP Gateways than could be reasonably instrumented and protected. This gave birth to the OMB's TIC, Trusted Internet Connections" Initiative. Three constraints on Einstein that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". An OMB "Trusted Internet Connections" initiative was expected to reduce the government's 4,300 access points to 50 or fewer by June 2008. After agencies reduced access points by over 60% and requested more than their target, OMB reset their goal to the latter part of 2009 with the number to be determined. A new version of Einstein was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." The expansion is known to be one of at least nine measures to protect federal networks.

The new version, called EINSTEIN 2, will have a "system to automatically detect malicious network activity, creating alerts when it is triggered". Einstein 2 will use "the minimal amount" necessary of predefined attack signatures which will come from internal, commercial and public sources. The Einstein 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. Einstein could be enhanced to create an early warning system to predict intrusions.

US-CERT may share Einstein 2 information with "federal executive agencies" according to "written standard operating procedures" and only "in a summary form". Because US-CERT has no intelligence or law enforcement mission it will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.