DHS CISO Offers a Real-Time View of CDM

Getting to real-time visibility on network performance, challenges and threats is a central part of Jeff Eisensmith’s job.

Eisensmith, the CISO at the Department of Homeland Security (DHS), is responsible for department-wide cyber security. This is a daunting prospect – created in the aftermath of 9/11, DHS incorporated into one organization more than 20 different agencies, services, offices, and programs that had been scattered among nine other departments. That means multitudes of legacy systems, disparate organizational cultures, and missions that had to be integrated.

Despite that, Eisensmith doesn’t see DHS’ security challenges as a distinction.

“DHS is not unique in terms of size or complexity,” he told FTI in a telephone interview. “We share the same challenges as IT providers in general,” establishing visibility at the perimeter of networks and visibility between business units.

DHS’ award of the Continuous Diagnostics and Mitigation (CDM) blanket purchase agreement in 2013, open to all federal, state and local governments and broken into three separate capability phases, was a major step forward in knitting together the cyber security of the sprawling department.

“DHS has always done CDM, always had that capability, using tools associated with its different components,” he said. “This was a once in a lifetime opportunity to paint DHS with one brush … Done correctly, cyber security is an incredible enabler of mission.”

Eisensmith wholeheartedly supports the CDM BPA. “All those products are vetted beforehand, negotiated at really great rates,” he said. “All I have to do when I need a new tool is pick off that list. I save countless personnel time [from] doing procurements, [and] implementation and support also are available.”

The immediate big challenge for DHS is to provide visibility in real time all the way down to individual desktops.

“Often the challenges associated with visibility in real time are associated with throughput,” he said. “DHS is really diverse, with a lot of legacy [systems]. Getting that real time visibility down to the desktop is all about the efficiency of security tools.”

He cited Customs and Border Protection (CBP) and the Coast Guard, two of DHS’ agencies, as examples of one particular challenge.

“[They] can have really small pipes. We have to have network tools that are intelligent about how to use limited bandwidth,” he said. It takes “investment in connectivity, tools that are smarter about … getting to that last mile.”

To maximize its funding, “our budget priorities are tied to having mapped out our defense-in-depth capabilities and gaps, tying them to known threats, and making investments where they’re most needed,” he said.

According to John Sellers, Vice President for Federal at Lancope, a Cisco company, that offers real-time threat intelligence, the focus on visibility is critical for agencies. “The Cisco StealthWatch system helps security operations staff gain real-time situational awareness of all users, devices, and traffic on a network down to the individual endpoint,” Sellers told us. “By relying on NetFlow, a context-rich and common source of network traffic metadata, StealthWatch can leverage the existing networking infrastructure to give the security operations center (SOC) complete visibility into every transaction of every host on the network. It then can baseline what normal behavior looks like for each host and detect and alert on suspicious or anomalous behavior, so that the SOC can respond before an event becomes a major crisis.”

Achieving real time visibility to the desktop doesn’t mean the security challenge is solved for the DHS.

“Regardless of whether you’re in DHS or elsewhere, … the adversary is able to modify their attacks. They’re not weighted down by scruples, laws, any oversight whatsoever, [where] if I make a change, am I going to break a 350,000-user network?” Eisensmith said. “The way we’re getting in front of that incredible challenge – it’s not new or innovative – is a defense in depth strategy that includes defense of products … If you’re running a product and you know it fairly well and it starts doing something you’ve never seen before, you don’t know what it is, it doesn’t smell right,” it can be containerized and a lot of tools can be applied.

Just as important as having the right tools is having leadership committed to solving the problem, he said.

“I was in the room, I was very privileged, when [DHS Secretary] Jeh Johnson brought all the component heads and their CIOs together,” Eisensmith said. “He said, ‘We are going to get cyber security right. That CIO next to you? He speaks for me.’ That kind of leadership top cover? It gave me goosebumps.”