Transcript REN-ISACResearch and Education Networking Information

REN-ISAC
Research and Education Networking
Information Sharing and Analysis Center
ISACs in General
Mission
The REN-ISAC mission is to aid and promote cyber security operational
protection and response within the higher education and research
(R&E) communities. The mission is conducted within the context of a
private community of trusted representatives at member institutions,
and in service to the R&E community at-large. REN-ISAC serves as the
R&E trusted partner for served networks, the formal ISAC community,
and in other commercial, governmental, and private security
information sharing relationships.
Mission
The REN-ISAC mission is to aid and promote cyber security
operational protection and response
within the higher education and research (R&E) communities. The
mission is conducted within the context of a private community of
trusted representatives at member institutions, and in service to the
R&E community at-large. REN-ISAC serves as the R&E trusted partner
for served networks, the formal ISAC community, and in other
commercial, governmental, and private security information sharing
relationships.
Mission
The REN-ISAC mission is to aid and promote cyber security operational
protection and response within the
higher education and research (R&E) communities.
The mission is conducted within the context of a private community of
trusted representatives at member institutions, and in service to the
R&E community at-large. REN-ISAC serves as the R&E trusted partner
for served networks, the formal ISAC community, and in other
commercial, governmental, and private security information sharing
relationships.
Mission
The REN-ISAC mission is to aid and promote cyber security operational
protection and response within the higher education and research
(R&E) communities. The mission is conducted within the context of a
private community of trusted representatives at
member institutions,
and in service to the R&E community at-large. REN-ISAC serves as the
R&E trusted partner for served networks, the formal ISAC community,
and in other commercial, governmental, and private security
information sharing relationships.
Mission
The REN-ISAC mission is to aid and promote cyber security operational
protection and response within the higher education and research
(R&E) communities. The mission is conducted within the context of a
private community of trusted representatives at
member institutions, and in service to the R&E
community at-large.
REN-ISAC serves as the R&E trusted partner for served networks, the
formal ISAC community, and in other commercial, governmental, and
private security information sharing relationships.
Mission
The REN-ISAC mission is to aid and promote cyber security operational
protection and response within the higher education and research
(R&E) communities. The mission is conducted within the context of a
private community of trusted representatives at member institutions,
and in service to the R&E community at-large.
REN-ISAC serves as the R&E trusted partner
for served networks, the formal ISAC community, and in other
commercial, governmental, and private security information sharing
relationships.
Roles
• ISAC role: A community formed of trusted security staff at R&E
institutions; sharing actionable information for operational
protection and response; among the trusted R&E members, crosssector, and with external trusted partners. Certain services (alerts
and notifications) to all of R&E regardless of membership status.
REN-ISAC is the R&E “trusted partner” in commercial,
governmental, and private security information sharing
relationships.
• CSIRT role: Notifications (>12k/month) regarding compromised
systems and other incident involvement; supporting all of US R&E
(>1600 institutions notified to-date). SOC for Internet2 network.
REN-ISAC is a Cooperative Effort
•
•
•
•
Member participation is a cornerstone of REN-ISAC
Dedicated resource contributors: IU, LSU, and Internet2
In kind contributors: EDUCAUSE, MOREnet
Member contributions through participation:
–
–
–
–
–
–
Executive Advisory Group
Technical Advisory Group
Microsoft Analysis Team
Membership Committee
Services development and operation
Systems, tools, etc.
• Seek mutually beneficial relationships
11
Advisory Groups, Analysis Teams, and Services
Executive
Advisory Group
Technical
Advisory Group
Membership
Committee
Microsoft
Analysis Team
Services
Bard
Arbor Networks
Emory
IU
MOREnet
EDUCAUSE
Baylor
IAS
NYU
Internet2
Cornell
IU
UAB
IU
Internet2
LSU
U Washington
LBL
IU
Scranton
Oakland
Team Cymru
UT Dallas
Reed College
U Mass Amherst
UMBC
WPI
UMD
Relationships
•
•
•
•
•
•
•
•
•
•
•
•
•
Internet2
Internet2 SALSA
Internet2 CSI2 Working Group
Global Research NOC at IU
EDUCAUSE
Higher Education Information Security Council
Private threat analysis and mitigation efforts
Other sector ISACs
National ISAC Council
DHS/US-CERT and other national CERTS and CSIRTS
Vendors (Microsoft)
NCFTA (National Cyber-Forensics & Training Alliance)
APWG (Anti-Phishing Working Group)
Sustainability
• Hosted by Indiana University
• Financial contributions from IU, LSU, and Internet2, and in-kind
support from EDUCAUSE
• Member contributions in projects, services, and activities
• A modest membership fee ($700/$900 per institution per year)
• Financial Principles, in the Charter:
7.3.1 REN-ISAC will not be operated to generate and disseminate profit, but
also cannot be a cost center of any particular sponsoring or supporting
organization.
7.3.2 The fundamental financial goal of the REN-ISAC is to cover all costs
through a combination of tangible sponsorship, support, or other
philanthropic revenue and fees, and given the expense parameters and
the fiscal environment in which the REN-ISAC operates.
Benefits of Membership
• Receive and share practical and actionable defense information in a
private community of trusted members
• Establish relationships with known and trusted peers
• Have access to direct security services
• Benefit from information sharing relationships in the broad security
community
• Benefit from vendor relationships, such as the REN-ISAC and Microsoft
Security Cooperation Program relationship
• Participate in technical educational security webinars
• Participate in REN-ISAC meetings, workshops, & training
• Have access to the 24x7 REN-ISAC Watch Desk
• Have access to threat information resources ("data feeds") that can be
used to identify local compromised machines, and to block known threats
Information Products
• Daily Watch Report provides situational awareness.
• Alerts provide critical and timely information concerning new or increasing
threat.
• Notifications identify specific sources and targets of active threat
or incident involving R&E. Sent directly to contacts at involved sites. ~4000
notifications sent per month.
• Feeds provide collective information regarding known sources of threat;
useful for IP and DNS block lists, sensor signatures, etc.
• Advisories inform regarding specific practices or approaches that can
improve security posture.
• TechBurst webcasts provide instruction on technical topics relevant to
security protection and response.
• Monitoring views provide summary views from sensor systems, e.g. traffic
patterns on Internet2, useful for situational awareness.
Membership
• Membership is open to colleges and universities, teaching hospitals,
R&E network providers, and government-funded research
organizations.
• The institution is the “member”, and is represented by a
management representative who nominates one or more member
representatives.
• Very specific job responsibility requirements define who is eligible
to become a member representative.
• Membership is tiered (General and XSec). The tiers differ in
eligibility criteria, the degree of trust vetting, sensitivity of
information shared, information products shared, and the
commitment-level of the institution.
Membership and Reach
• As of October 2011, there are:
– 341 members
• Represented by 858 member representatives
• A list of member institutions is on the Membership web page
– http://www.ren-isac.net/cgi-bin/memberlist.cgi
• Service to R&E beyond just the membership
– REN-ISAC has communicated with over 1600 EDU institutions, directly
and privately, regarding compromised systems (notifications)
– Episodic public alerts are aimed at R&E security practitioners and CIOs
Joining REN-ISAC
• Membership is initiated by a CIO or equivalent, who becomes the
“management representative”. During registration the CIO can delegate
the management representative role.
• The management representative nominates “member representatives”
• Member representatives must be FTE with institution-wide responsibilities
for operational security protection and response, etcetera.
• Tiered membership model
– First tier (General): nominated by management representative, meets
eligibility criteria, and no dings by current members during vetting
– Second tier (Xsec): has been a General member in good standing for six
weeks, meets eligibility requirements, and receives two vouches of
personal trust from existing members,
• http://www.ren-isac.net/membership.html
Over the Past Year
• Membership growth: 301  341 institutions, represented by 730  858
persons (dated October 2011)
• Relationships growth: US-CERT, NCFTA, APWG
• Growth in engagement with trusted partners: more information sharing
• Involvement in strategic industry groups focused at the takedown of
specific security threats
• Advancement of the SES tool (v1  v2), created the Collective Intelligence
Framework (CIF): threat data repository, flexible API, support for analyst
threat research
• NSF award OCI-1127425 for development of SES v3, including support for
inter-federation, scaling, additional data types, and tool integration.
• Engagement with the NSF International Research Network Connections,
TransPAC3 and America Connects to Europe projects, supporting
"community security" activities.
Over the Past Year
• Partnership with the Multi-State ISAC and SANS to bring an aggressive
aggregate buy program for Securing The Human training to EDU.
• Engagement in international standards work for security incident
reporting (IODEF)
• Handling of 0-day vulnerability communications between members and
vendors
• Increase in number of notifications (more data sources) regarding
observed infected EDU-based machine: > 12,000 notifications/month
• Additional staff, funded by membership fees, permitting substantial
strengthening of our infrastructure, and deployment of new services
References
• REN-ISAC Organizational Documents
– http://www.ren-isac.net/about/index.html
• Charter
• Membership Document
• Terms and Conditions
• Fees
• Information Sharing Policy
• Disclaimer
• Overviews
– http://www.ren-isac.net/about/index.html
• Flier
• Executive Overview
• Joining
– http://www.ren-isac.net/membership.html
Contacts
Doug Pearson
Technical Director
[email protected]
http://www.ren-isac.net
24x7 Watch Desk:
[email protected]
+1 (317) 278-6630