Embed Size (px)
Citation preview
NSF Cybersecuity SummitMay 2008
REN-ISAC Goal
The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :•the exchange of sensitive actionable information within a private trust community,•the provision of direct security services, and•serving as the R&E trusted partner within the formal ISAC community.
Benefits of Membership• Participate, share information in the private trust
community
• Receive actionable protection and response information, e.g. Daily Watch Report, Alerts, Advisories, and other
• Establish relationships with known and trusted peers
• Benefit from information sharing relationships constructed in the broad security community
• Benefit from vendor relationships (e.g. Microsoft SCP)
• Participate in technical security webinars
• Participate in REN-ISAC meetings, workshops, & training
• Have access to the 24x7 REN-ISAC Watch Desk
• Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
Membership
• Membership is open to:– institutions of higher education, – teaching hospitals, – research and education network providers, and – government-funded research organizations;– international, although focused on U.S.
• Currently, membership guidelines are roughly:– must have organization-wide responsibilities for cyber
security protection and response,– must be permanent staff, and– must be vouched-for (personal trust) by 2 existing
members– http://www.ren-isac.net/membership.html
Membership
People
Orgs
REN-ISAC is a Cooperative Effort• Member participation is a cornerstone of REN-ISAC• Advisory Groups
– Executive Advisory Group: IU, LSU, Oakland U, Reed College, U Mass, UMBC, U Montana, Internet2, and EDUCAUSE
– Technical Advisory Group: Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI
• Analysis Teams– Microsoft Analysis Team: Colorado, IU, NYU, UIUC, U
Washington
• Service development teams– Numerous
• Dedicated resource contributors: IU, LSU, Internet2• Other major, e.g. systems , tools, coordination , etc:
– LSU, Buffalo, Brandeis, WPI, and MOREnet
Information Sharing
• REN-ISAC is a private trust community for sharing
sensitive information. • The private and trusted character
– provides a safe zone for the sharing of organizational incident experience,
– protects information about our methods and sources, and
– protects information which if publicly disclosed would abet our adversaries.
Information Products• Daily Watch Report provides situational awareness.
• Alerts provide critical and timely information concerning new or increasing threat.
• Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites.
• Feeds provide specific identifying information regarding known active sources of threat; useful for IP and DNS block lists, sensor signatures, etc.
• Advisories inform regarding specific practices or approaches that can improve security posture.
• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.
• Monitoring views provide summary views from sensor systems, useful for situational awareness.
Notifications Sent
Information Products: Notifications:
REN-ISAC EDU Storm Worm Daily Notifications
Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding compromised systems operating in the Storm
Worm botnet.
REN-ISAC sent daily notifications identifying the compromised machines to security contacts at the
machine-owning organizations.
Notifications quickly and dramatically blunted the severity of Storm infections in EDU
Information Products: Notifications:
REN-ISAC EDU Storm Worm Daily Notifications
Throughout July and August, utilizing the Internet2 Arbor Networks Peakflow system, REN-ISAC detected and responded to ~dozen Storm Worm DDoS attacks transiting the Internet2 network. On Sept 9 R-I issued
an Alert to the R&E community,“Storm Worm DDoS Threat to the EDU Sector”
Information Products: Notifications:
REN-ISAC EDU Storm Worm Daily Notifications
The Microsoft MSRT (Malicious Software Removal Tool) is updated for Storm on
9/11
Information Products: Notifications:
REN-ISAC EDU Storm Worm Daily Notifications
Priorities for the Coming Year
Not in priority order:• Membership growth• Implement the two-tiered membership model• Implement the sustainability & growth business plan• Facilitate various forms of member involvement and
contribution• Development of additional information sharing
relationships, and care and feeding of existing relationships
• Assessment of current services and member needs• Scanning Services project• Cyber Security Registry• Various tool and service projects
How to Join
• http://www.ren-isac.net/membership.html• Paraphrased:
– must have organization-wide responsibilities for cyber security protection and response,
– at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization,
– must be permanent staff, and– must be vouched-for (personal trust) by 2 existing
members.
Contacts
http://www.ren-isac.net 24x7 Watch Desk:
[email protected] +1(317)278-6630
Doug Pearson, Technical [email protected]
Mark Bruhn, Executive [email protected]
Gabriel Iovino, Principal Security [email protected]
