The next big innovative project at the Department of Health and Human Services could be automating its use of a Department of Homeland Security cybersecurity program to get a better picture of the entirety of its network.
Oki Mek, a senior adviser to HHS CIO Jose Arrieta, said his next goal is to use blockchain technology and automation to collect logs, which are records of events that occur on organizations’ networks, deep inside its network.
“The reason why is when we want to do forensic investigation or root cause analysis, the logs are not there or not there completely,” Mek said Dec. 5 at the GovernmentCIO AI and RPA in Government event in Washington.
Mek said the department does a fine job on tracking activities that occur on the perimeter of its network, but needs to improve its security measures deeper inside its network. HHS would be automating DHS’ continuous diagnostics and mitigation program, an program providing tools and monitoring of federal agency networks. When organizations do forensic investigations, they have to “go down deep” into the network, Mek said, checking network components like data base logs, virtualization logs and cloud logs. Digging into the network to get those logs can take weeks and require going to the cloud provider for help.
Mek used searching the network after receiving zero-day threat notifications from DHS as an example.
“You could have the log readily available,” said Mek. “You could run [artificial intelligence] against it [and] in a matter of seconds you could say ‘hey, Homeland Security we’re clear of this zero-day virus.’ Once you have that log, you could be more proactive about cybersecurity."
As Mek sees it, easily accessible logs could allow HHS to perform threat hunting, threat profiling, threat reconnaissance and better analysis of user behavior to find anomalies. By doing so, HHS would be able to discover patterns and answer questions like why a threat actor is attacking in the middle of the night or during the holiday season, Mek said.
HHS is working on at least one other cybersecurity project using a neural network to analyze network traffic. Oki said the department needed to “dig deeper into the actual system,” particular to combat vulnerabilities related to insider threats.
“There might be somebody using a thumbdrive plugging into a computer, somebody downloaded malware or something, it’s going to get passed through the network,” Mek said. “I think you need to go deeper. And AI needs a lot of data. And what has a lot of data? Logs.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.