Security Professionals Conference

May 2008

REN-ISAC Goal

The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :

•the exchange of sensitive actionable information within a private trust community,

•the provision of direct security services, and

•serving as the R&E trusted partner within the formal ISAC community.

Benefits of Membership

• Get and share practical defense information in a private trust community

• Establish relationships with known and trusted peers

• Benefit from vendor relationships (e.g. Microsoft SCP)

• Participate in technical security webinars

• Participate in REN-ISAC meetings, workshops, & training

• 24x7 REN-ISAC Watch Desk

• Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.

• 2nd annual R-I Member Meeting held here…Tuesday.

Membership• Membership is open to:

– institutions of higher education, – teaching hospitals, – research and education network providers, and – government-funded research organizations;– international, although focused on U.S.

• Currently, membership guidelines are roughly:– must have organization-wide responsibilities for cyber security

protection and response,– must be permanent staff, and– must be vouched-for (personal trust) by 2 existing members– http://www.ren-isac.net/membership.html

Membership

People

Orgs

REN-ISAC is a Cooperative Effort

• Member participation is a cornerstone of REN-ISAC

• Advisory Groups– Executive Advisory Group: IU, LSU, Oakland U, Reed College, U

Mass, UMBC, U Montana, Internet2, and EDUCAUSE

– Technical Advisory Group: Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI

• Analysis Teams– Microsoft Analysis Team: Colorado, IU, NYU, UIUC, U Washington

• Service development teams– numerous

• Dedicated resource contributors: IU, LSU

• Other major, e.g. systems, tools, coordination, etc.– Buffalo, Brandeis, WPI, and MOREnet

Information Sharing

• REN-ISAC is a private trust community which provides: • A safe zone for the sharing of organizational

incident experience which may not otherwise be shared.

• Protection for information which if publicly disclosed would abet malware writers.

• Protection for information about methods and sources.

Information Resources

• REN-ISAC members

• Information sharing relationships (multiple, formal and informal)

• Direct reconnaissance

• Other sector ISACs

• Global Research NOC at IU (R&E backbone networks)

• Vendor relationships

• Network instrumentation and sensors– Internet2 Abilene network backbone netflow

• Arbor Peakflow SP for DDoS discovery

– REN-ISAC darknet

Notifications Sent

For example, 2 periods of notifications quickly and dramatically blunted the severity of Storm infections in

EDU

Note: The Microsoft MSRT (Malicious Software Removal Tool) is updated for Storm on 9/11

Summer ‘08 Two-Tiered Membership

• Goal is to achieve broader reach while still maintaining a strong-trust core

• “General” membership = the entry-level tier– A CIO (or equivalent) appoints General members – one or

more full-time staff who meet eligibility requirements. Personal trust vouches are not required, but nominations are open to dispute

• “XSec” membership = the e(X)tra (Sec)ure tier– Additional membership criteria, and two vouches of

personal trust are required from existing XSec members

Membership Fees

• Membership is currently free, necessary growth and value to the community is not sustainable.

• Beginning July 1, 2009 a nominal membership fee will be instituted. The fee is not finalized, but we anticipate yearly per-institution cost will be very low.

Priorities for the Coming Year

Not in priority order:

• Membership growth

• Implement the two-tiered membership model

• Implement a sustainability & growth business plan

• Facilitate various forms of member involvement and contribution

• Development of additional information sharing relationships, and care and feeding of existing relationships

• Assessment of current services and member needs

• Scanning services project

• Various tool and service projects

Contacts

http://www.ren-isac.net 24x7 Watch Desk:

soc@ren-isac.net +1(317)278-6630

Doug Pearson, Technical Directordodpears@ren-isac.net

Mark Bruhn, Executive Directormbruhn@iu.edu

Gabriel Iovino, Principal Security Engineergiovino@ren-isac.net