REN-ISACResearch and Education Networking

Information Sharing and Analysis Center

ISACs in General

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research

(R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community,

and in other commercial, governmental, and private security information sharing relationships.

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response

within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of

trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner

for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing

relationships.

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the

higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner

for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing

relationships.

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research

(R&E) communities. The mission is conducted within the context of a private community of trusted representatives at

member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community,

and in other commercial, governmental, and private security information sharing relationships.

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research

(R&E) communities. The mission is conducted within the context of a private community of trusted representatives at

member institutions, and in service to the R&E community at-large.

REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and

private security information sharing relationships.

Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research

(R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions,

and in service to the R&E community at-large.

REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other

commercial, governmental, and private security information sharing relationships.

Roles

• ISAC role: A community formed of trusted security staff at R&E institutions; sharing actionable information for operational protection and response; among the trusted R&E members, cross-sector, and with external trusted partners. Certain services (alerts and notifications) to all of R&E regardless of membership status. REN-ISAC is the R&E “trusted partner” in commercial, governmental, and private security information sharing relationships.

• CSIRT role: Notifications (>12k/month) regarding compromised systems and other incident involvement; supporting all of US R&E (>1600 institutions notified to-date). SOC for Internet2 network.

REN-ISAC is a Cooperative Effort

• Member participation is a cornerstone of REN-ISAC• Dedicated resource contributors: IU, LSU, and Internet2• In kind contributors: EDUCAUSE, MOREnet• Member contributions through participation:

– Executive Advisory Group– Technical Advisory Group– Microsoft Analysis Team– Membership Committee– Services development and operation– Systems, tools, etc.

• Seek mutually beneficial relationships

11

Advisory Groups, Analysis Teams, and ServicesExecutive

Advisory GroupTechnical

Advisory GroupMembership Committee

Microsoft Analysis Team

Services

Bard Arbor Networks Emory IU MOREnet

EDUCAUSE Baylor IAS NYU

Internet2 Cornell IU UAB

IU Internet2 LSU U Washington

LBL IU Scranton

Oakland Team Cymru UT Dallas

Reed College U Mass Amherst

UMBC WPI

UMD

Relationships• Internet2 • Internet2 SALSA• Internet2 CSI2 Working Group • Global Research NOC at IU• EDUCAUSE• Higher Education Information Security Council• Private threat analysis and mitigation efforts• Other sector ISACs• National ISAC Council• DHS/US-CERT and other national CERTS and CSIRTS• Vendors (Microsoft)• NCFTA (National Cyber-Forensics & Training Alliance)• APWG (Anti-Phishing Working Group)

Sustainability

• Hosted by Indiana University• Financial contributions from IU, LSU, and Internet2, and in-kind

support from EDUCAUSE• Member contributions in projects, services, and activities• A modest membership fee ($700/$900 per institution per year)• Financial Principles, in the Charter:

7.3.1 REN-ISAC will not be operated to generate and disseminate profit, but also cannot be a cost center of any particular sponsoring or supporting organization.

7.3.2 The fundamental financial goal of the REN-ISAC is to cover all costs through a combination of tangible sponsorship, support, or other philanthropic revenue and fees, and given the expense parameters and the fiscal environment in which the REN-ISAC operates.

Benefits of Membership• Receive and share practical and actionable defense information in a

private community of trusted members• Establish relationships with known and trusted peers• Have access to direct security services• Benefit from information sharing relationships in the broad security

community• Benefit from vendor relationships, such as the REN-ISAC and Microsoft

Security Cooperation Program relationship• Participate in technical educational security webinars• Participate in REN-ISAC meetings, workshops, & training• Have access to the 24x7 REN-ISAC Watch Desk• Have access to threat information resources ("data feeds") that can be

used to identify local compromised machines, and to block known threats

Information Products• Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing

threat.• Notifications identify specific sources and targets of active threat

or incident involving R&E. Sent directly to contacts at involved sites. ~4000 notifications sent per month.

• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.

Membership

• Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations.

• The institution is the “member”, and is represented by a management representative who nominates one or more member representatives.

• Very specific job responsibility requirements define who is eligible to become a member representative.

• Membership is tiered (General and XSec). The tiers differ in eligibility criteria, the degree of trust vetting, sensitivity of information shared, information products shared, and the commitment-level of the institution.

Membership and Reach

• As of October 2011, there are:– 341 members

• Represented by 858 member representatives• A list of member institutions is on the Membership web page

– http://www.ren-isac.net/cgi-bin/memberlist.cgi

• Service to R&E beyond just the membership– REN-ISAC has communicated with over 1600 EDU institutions, directly

and privately, regarding compromised systems (notifications)– Episodic public alerts are aimed at R&E security practitioners and CIOs

Joining REN-ISAC• Membership is initiated by a CIO or equivalent, who becomes the

“management representative”. During registration the CIO can delegate the management representative role.

• The management representative nominates “member representatives”• Member representatives must be FTE with institution-wide

responsibilities for operational security protection and response, etcetera.• Tiered membership model

– First tier (General): nominated by management representative, meets eligibility criteria, and no dings by current members during vetting

– Second tier (Xsec): has been a General member in good standing for six weeks, meets eligibility requirements, and receives two vouches of personal trust from existing members,

• http://www.ren-isac.net/membership.html

Over the Past Year• Membership growth: 301 341 institutions, represented by 730 858

persons (dated October 2011)

• Relationships growth: US-CERT, NCFTA, APWG• Growth in engagement with trusted partners: more information sharing• Involvement in strategic industry groups focused at the takedown of

specific security threats• Advancement of the SES tool (v1 v2), created the Collective Intelligence

Framework (CIF): threat data repository, flexible API, support for analyst threat research

• NSF award OCI-1127425 for development of SES v3, including support for inter-federation, scaling, additional data types, and tool integration.

• Engagement with the NSF International Research Network Connections, TransPAC3 and America Connects to Europe projects, supporting "community security" activities.

Over the Past Year• Partnership with the Multi-State ISAC and SANS to bring an aggressive

aggregate buy program for Securing The Human training to EDU. • Engagement in international standards work for security incident

reporting (IODEF) • Handling of 0-day vulnerability communications between members and

vendors • Increase in number of notifications (more data sources) regarding

observed infected EDU-based machine: > 12,000 notifications/month • Additional staff, funded by membership fees, permitting substantial

strengthening of our infrastructure, and deployment of new services

References• REN-ISAC Organizational Documents

– http://www.ren-isac.net/about/index.html• Charter• Membership Document• Terms and Conditions• Fees• Information Sharing Policy• Disclaimer

• Overviews– http://www.ren-isac.net/about/index.html

• Flier• Executive Overview

• Joining– http://www.ren-isac.net/membership.html

Contacts

Doug PearsonTechnical Directordodpears@ren-isac.net

http://www.ren-isac.net

24x7 Watch Desk: soc@ren-isac.net+1 (317) 278-6630