CISA tests cloud log aggregation to ID threats
- By Justin Katz
- Apr 30, 2021
The Cybersecurity and Infrastructure Security Agency is testing how well aggregated cloud logs can feed its cybersecurity analysis efforts and improve cloud network visibility.
CISA’s Cloud Log Aggregation Warehouse collects, aggregates and analyzes national cybersecurity protection system data from agencies that use commercial cloud services. It combines that information with data from Einstein sensors in a cloud-based architecture for improved situational awareness.
CISA wants to see if it can “make sense of [the logs] as a community together,” CISA CTO Brian Gattoni said at an April 28 event hosted by FCW. "We've run pilots through the [Continuous Diagnostics and Mitigation] program team, through our capacity building team, to look at end point visibility capabilities … to see if that closes the visibility gap for us."
In public settings, CISA officials have made clear the government's current programs were not designed to monitor the vectors that Russian intelligence agents exploited during their espionage campaign. They have begun seeking out new capabilities that present a clearer picture on individual end points in agency networks.
In March, Eric Goldstein, a top CISA official, told House lawmakers that "CISA is urgently moving our detective capabilities from that perimeter layer into agency networks to focus on these end points, the servers and workstations where we're seeing adversary activity today,"
Gattoni said during his panel discussion that some cloud providers already have the infrastructure built into their service to help CISA aggregate the security information it wants, but he also said the federal government can't depend on that always being the case.
"There's a lot of slips between the cup and the lip when it comes to data access rights for third-party services, so we at CISA have got to explore the use of our programs like [CDM] as way to establish visibility … and also look at possibly building out our own capabilities to close any visibility gaps that may still persist," he said.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.