The GAO report, released on Jan 28, 2016, found that the Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS) is far from being workable, a mild understatement of epic blunder. As of April 2015, the projected total life-cycle cost of the program was approximately $5.7 billion to be spent by 2018, with $1.2 billion already spent on the NCPS system by 2014.
NCPS’s intrusion detection capability is intended to provide DHS with the ability to scan network traffic for signs of potentially malicious activity. Effective intrusion detection provides an organization with the ability to detect abnormalities within network traffic and can be accomplished through the use of multiple types of intrusion detection methodologies. In
order to more comprehensively and accurately detect malicious activity, NIST recommends15 using a combination of three detection methodologies: signature-based, anomaly-based, and stateful purpose analysis.
- Signature-based intrusion detection is able to detect malicious traffic by comparing current traffic to known patterns of malicious behavior, also referred to as signatures. This method is considered effective at detecting known threats and is the simplest form of intrusion detection, because it can only match against known patterns of malicious traffic.
- The anomaly-based and stateful purpose detection methodologies are more complex approaches, which involve comparing current network activity to predefined baselines of “normal behavior” to identify deviations which could be indicative of malicious activity. These approaches to intrusion detection are more effective than signature based detection at identifying previously unknown threats, such as “zero-days, as well as variants to known threats and threats disguised by the use of evasion techniques.
NCPS uses only a signature-based methodology for detecting malicious activity.
The costly program mostly duplicates commercially available signature-based intrusion detection systems already used by federal agencies:
By employing only signature-based intrusion detection, NCPS is unable to detect intrusions for which it does not have a valid or active signature deployed. This limits the overall effectiveness of the program. Moreover, given that many federal agencies use commercially available signature based intrusion detection systems to support their information security
efforts, the addition of another signature-based intrusion detection system may do little to provide customer agencies with a baseline set of protections. DHS officials acknowledged that the intrusion detection systems used by many federal agencies likely have more signatures deployed than NCPS.