REN-ISAC Research and Education Networking Sharing and Analysis Center EDUCAUSE and Internet2 Security Professionals Conference April 2007
Introductions Mark Bruhn AVP for Telecommunications, IU AD, Center for Applied Cybersecurity Research Executive Director REN-ISAC mbruhn@iu.edu Chris Misra Network Analyst, UMass Chair, REN-ISAC Technical Advisory Group cmisra@nic.umass.edu Doug Pearson Technical Director REN-ISAC dodpears@ren-isac.net Jack Suess VPIT and CIO, UMBC Chair, REN-ISAC Executive Advisory Group jack@umbc.edu Dave Monnier Principal Security Engineer, REN-ISAC dmonnier@ren-isac.net
In this presentation, we ll: Presentation Outline describe ISACs in general, give a general description of the REN-ISAC, give details regarding what REN-ISAC does, make an important announcement(!), outline the REN-ISAC organization, talk about REN-ISAC membership.
ISACs in general Formation encouraged by U.S. Government Presidential Decision Directive 63: Protecting America's Critical Infrastructures (1998) and subsequently affirmed in The National Strategy to Secure Cyberspace (2003) Collect, derive, analyze, and disseminate security threat information, including: the physical security of infrastructure, operations, and facilities, and computing and networking infrastructures Provide resources to support member understanding of threats, protection, and mitigation, so that member organizations can better defend and secure their infrastructures and operations. Most are private-sector entities.
ISACs Communications Chemical Industry Electricity Sector Energy Emergency Mgmt and Response Financial Services Highway Technology Multi-State Public Transit Research and Education Networking Surface Transportation Supply Chain Water
The REN-ISAC: REN-ISAC is an integral part of U.S. higher education s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; is specifically designed to support the unique environment and needs of higher education and research organizations; and, supports efforts to protect national cyber infrastructure by participating in the formal U.S. ISAC structure. Foremost, REN-ISAC is a member-driven trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection.
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
network instrumentation and sensors backbone netflow REN-ISAC darknet Shared Darknet Project Global NOC operational monitoring members direct reconnaissance Collect, analyze, and disseminate intelligence REN-ISAC staff members 24x7 Watch Desk information sharing relationships
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
private threat collection and mitigation efforts e.g. among ISPs,.edu regional groups, etc. other sector ISACs daily inter-isac status conference DHS/US-CERT and other national CERTS and CSIRTS Intel Relationships Global Research NOC at IU servicing Internet2 Abilene, NLR, and international connecting networks vendors Microsoft / REN-ISAC SCPe
Microsoft / REN-ISAC SCPe New Partnership announced today! Security Cooperation Program for Education The program provides a focal point for Microsoft to share vital security information with the research and higher education communities. Under the agreement, Microsoft and the REN- ISAC will share information regarding vulnerabilities, exploits, and fixes, as well as other information at a level of depth and detail that will help both parties become more proactive and responsive to issues affecting the global community. Provides access to materials to support member security awareness programs.
Microsoft / REN-ISAC SCPe This unique trust relationship with Microsoft will provide an information source from which we can impart important security and product information to our membership, and through which we can give feedback to Microsoft regarding our security experiences with their products. The relationship will be supported and facilitated through a REN-ISAC Microsoft Analysis Team Ryan Eads, University of Illinois, Urbana-Champaign Brad Judy, University of Colorado, Boulder Sean Krulewitch, Indiana University Brian Smith-Sweeney, New York University Dave Monnier, REN-ISAC / Indiana University Doug Pearson, REN-ISAC / Indiana University
Additional information Microsoft / REN-ISAC SCPe http://www.ren-isac.net/relationships/microsoft.html http://www.ren-isac.net/advisory.html/#microsoft
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
private Trust Community facilitates the sharing of sensitive information Sharing actionable information for protection and response Products and peer sharing within Trusted Communities members intel relationships Trust Community channels private mailing list secure IRC community web portal incident data downloads outside the Trust Community non-member.edu we send notifications of compromised machines
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
Daily Weather Report provides situational awareness Alerts provide timely information concerning new or increasing threat. Notifications are sent to contacts at sources and targets of active threat or incident involving member networks. Threat Resources provide information regarding known active sources of threat. Monitoring views provide aggregate information for situational awareness. Products
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
TechBurst webcasts inform on technical topics relevant to security protection and response; are presented monthly by members. Examples include: BotNet Detection Using DNS Methods Netflow Advanced Topics DNS: Protocols, Operation and Security Education Advisories inform regarding specific practices or approaches that can improve security posture. Peer interaction (IRC and mailing list)
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
Internet2 Abilene Operational security exercises First held November 2005: Day-long table top exercise (talking only, no flows) Abilene backbone infrastructure attacks, 2 scenarios Report identifies ~40 observations Second (date TBD) will include domestic and international participants Exercises
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
services malware analysis system (dev) passive DNS replication service (dev).edu notification system Cyber Security Registry (dev) wiki IRC listserv community portal RENOIR (WPI / CSI2 dev) monitors and sensors REN-ISAC darknet Shared Darknet Project (R-I / CSI2) netflow collection and analysis Traffic Grapher Arbor Peakflow flow-tools DNS infrastructure monitoring Tools
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
Registry Rich information about.edu security contacts people and institutions (under development)
Members 24x7 Watch Desk Sharing Served Networks Collect, analyze, and disseminate intelligence Products Education Intel Relationships Registry Tools Exercises
24x7 Watch Desk
REN-ISAC : organization Trust community Member participation Supporting organizations Contributors Advisory groups Analysis teams Organizational Relationships
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Advisory groups Analysis teams Organizational Relationships A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. Rigorous guidelines for membership and member vetting are used to engender and maintain a community of trust requisite for sharing sensitive information.
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Advisory groups Analysis teams Organizational Relationships cornerstone of REN-ISAC types of contributions sharing w/ peers Dedicated commitment of resources Informal commitment of resources Daily reports authoring Systems administration TechBurst webcasts Sensor and monitor data sharing Tool development Advisory groups Analysis Teams
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Indiana University (host) Internet2 EDUCAUSE Louisiana State University Advisory groups Analysis teams Organizational Relationships
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors.edu members others Advisory groups Analysis teams Organizational Relationships Berkeley (TAG) Brandeis (wiki) Colorado (MAT) Cornell (TAG) IU (host, EAG, TAG) LSU (daily reports, EAG) Oakland (EAG) Oregon (TAG) MOREnet (TAG, TechBursts) NYU (MAT) Reed College (EAG) UMass (TAG) UMBC (EAG) UMN (TAG) UMT (EAG) WPI (TAG, systems)
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors edu members others Advisory groups Analysis teams Organizational Relationships Team Cymru Neustar Sunbelt (TAG) (TAG, tools) (systems)
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Advisory groups Analysis teams Organizational Relationships Executive Advisory Group (EAG) advises regarding policies, legal issues, plans and strategies, and other non-technical aspects of REN-ISAC operations. Technical Advisory Group (TAG) advises regarding useful REN-ISAC products and services, guided by evaluation of member needs.
Executive Advisory Group Advises regarding policies, legal issues, plans and strategies, and other non-technical aspects of REN-ISAC operations. Jack Seuss, chair University of Maryland-Baltimore County Ray Ford University of Montana Ken Klingenstein Internet2 & University of Colorado Rodney Petersen EDUCAUSE Marty Ringle Reed College Theresa Rowe Oakland University Brian Voss Louisiana State University Ex-officio Members: Mark Bruhn REN-ISAC/Indiana University Chris Misra, TAG Chair University of Massachusetts Amherst Doug Pearson REN-ISAC/Indiana University
Technical Advisory Group Advises regarding useful products, services, and methods guided by the REN-ISAC mission and survey of member needs. Chris Misra, chair University of Massachusetts Amherst Daniel Aldinolfi Cornell University Phil Deneault Worcester Polytechnic Institute Brian Eckman University of Minnesota Stephen Gill Team Cymru Andrew Korty Indiana University John Kristoff UltraDNS Randy Raw Missouri Research and Education Network Michael Sinatra University of California Berkeley Joe St Sauver University of Oregon Ex-officio Members Dave Monnier REN-ISAC/Indiana University Doug Pearson REN-ISAC/Indiana University
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Advisory groups Analysis teams Organizational Relationships Microsoft Analysis Team serves as the technical interface between REN-ISAC and Microsoft for the SCPe. Guides the objectives for the relationship, and receives, analyzes, and disseminates information shared under the Partnership. Ryan Eads, UIUC Brad Judy, U Colorado, Boulder Sean Krulewitch, IU Brian Smith-Sweeney, NYU Dave Monnier, REN-ISAC / IU Doug Pearson, REN-ISAC / IU
REN-ISAC : organization Trust community Member participation Supporting Organizations Contributors Advisory groups Analysis teams Org. Relationships Internet2 EDUCAUSE Internet2/EDUCAUSE Computer & Network Security Task Force National ISAC Council Internet2 SALSA Internet2 CSI2 Working Group
REN-ISAC : membership Membership is open and free to: institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. Membership guidelines are roughly: must be permanent staff, with organization-wide responsibilities for cybersecurity protection and response, and be vouched-for by 2 existing members http://www.ren-isac.net/membership.html
Summary REN-ISAC is a member-driven trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection. The information facilitates and enhances your local protection and response efforts. REN-ISAC serves the higher education and research communities. REN-ISAC is a product of its members. Membership is free, but according to a particular job profile and vouched-for trust.
References and Contacts http://www.ren-isac.net 24x7 Watch Desk: ren-isac@ren-isac.net +1(317)274-6630 Mark Bruhn, Executive Director, mbruhn@iu.edu Doug Pearson, Technical Director dodpears@ren-isac.net Dave Monnier, Principal Security Engineer dmonnier@ren-isac.net