1 / 19

REN-ISAC Update

REN-ISAC Update. Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece. REN-ISAC. The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :

zudora
Download Presentation

REN-ISAC Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece

  2. REN-ISAC The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through : • the sharing of actionable information within a private trust community, • the provision of other direct security services, and • serving as the R&E trusted partner within the formal ISAC community.

  3. Cooperative Effort • Direct and in-kind funding: • IU (host organization), LSU, Internet2, EDUCAUSE • Executive Advisory Group • IU, LSU, Oakland U, Reed College, U Mass, UMBC, U Montana, Internet2, and EDUCAUSE • Technical Advisory Group • Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI • Microsoft Analysis Team • Colorado, IU, NYU, UIUC • Major contributors • Buffalo, Brandeis, and WPI (systems), MOREnet (TechBursts) • And the MEMBERS!

  4. Membership (the old, and still current plan) • Membership is open and free to: • institutions of higher education, • teaching hospitals, • research and education network providers, and • government-funded research organizations. • Membership guidelines are roughly: • must have organization-wide responsibilities for cyber security protection and response, and • must be permanent staff, • must be vouched-for (trust) by 2 existing members • Membership includes: • International participation: currently 8 .ca, and 2 .nz • Large .gov-sponsored experiments • http://www.ren-isac.net/membership.html

  5. Membership People Orgs.

  6. In the works: • Revised membership model • 2-vouch trust community is difficult to scale to reach all of R&E • For sharing the most sensitive information, need to have the strong community trust that vouching – personal knowledge – brings • Solution: tiered membership – general and X(extra)-Sec members; General member = appointed by CIO, XSec member = 2-vouched. • Information sharing policies and guidelines will be structured to work with the tiered model – a certain level of information sharing (benefit) among the general membership, and extended sharing in XSec. • Business Plan • Formalized organizational framework • Long-term sustainability • Growth • Fee-based membership

  7. Information Resources • REN-ISAC members • Direct reconnaissance • Information sharing relationships • Other sector ISACs • Global Research NOC at IU • Vendors relationships • Network instrumentation and sensors • Internet2 Abilene network backbone netflow • Arbor Peakflow SP for DDoS discovery • REN-ISAC darknet • Shared Darknet Project • Global NOC operational monitoring

  8. Information Products • Daily Weather Reportprovides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threat or incident involving member networks. • Data Feedsprovide specific identifying information regarding known active sources of threat. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide aggregate information for situational awareness.

  9. Compromised System Notifications to .edu Botnet Command and Control Hosts Infected Hosts Unique R&E Institutions

  10. .EDU Storm Worm Daily Notifications from REN-ISAC Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding compromised systems operating in the Storm Worm botnet. REN-ISAC sends daily notifications identifying the compromised machines to security contacts at the machine-owning organization.

  11. .EDU Storm Worm Daily Notifications from REN-ISAC Start of the concerted and successful e-card spamming method.

  12. .EDU Storm Worm Daily Notifications from REN-ISAC Notifications quickly and dramatically blunted the severity of Storm infection in .EDU

  13. .EDU Storm Worm Daily Notifications from REN-ISAC The Microsoft MSRT (Malicious Software Removal Tool) addresses Storm 9/11

  14. .EDU Storm Worm Daily Notifications from REN-ISAC Throughout July and August, utilizing the Internet2 Arbor Networks Peakflow system, REN-ISAC detected and responded to ~dozen Storm Worm DDoS attacks transiting the Internet2 network. On Sept 9 R-I issued an Alert to the R&E community, “Storm Worm DDoS Threat to the EDU Sector”

  15. Projects in Cooperation with Internet2 CSI2 • CSI2 Shared Darknet Project • Information from dispersed, member-based darknet sensors is combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort. • CSI2 RENOIR • Research and Education Networking Operational Incident Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort.

  16. Projects, and Opportunities for Collaboration • Relationships and information sharing • Linkage to NREN security teams and CSIRTS • Arbor Fingerprint Sharing • Projects • PDNS • Scanning Service • Shared Darknet • Incident Information Sharing System (RENOIR) • DNS infrastructure monitoring • Federated Model (ANL, et al) • http://www.anl.gov/it/Cyber_Security/Federations_for_Cyber_Defense/index.html • Very interested to learn what others are doing wrt IPv6 • Also, interested in L2 infrastructure security services

  17. Projects, and Opportunities for Collaboration • REN-ISAC staff at upcoming meetings • 20-21 Feb, X • 28-29 Feb, ISOI IV • 21-23 Apr, Internet2 Spring Meeting • 4-6 May, EDUCAUSE Security Professionals Conference • 6 May, REN-ISAC Annual Member Meeting

  18. Priorities for the Coming Year • Not in order • Membership growth • Implement the revised Membership Model • Business plan • Facilitate various forms of member involvement and contribution • Develop additional and strengthen existing information sharing relationships, including the REN-ISAC and Microsoft SCPe • Assessment of current services and member needs • Cyber Security Registry • Various tool and service projects

  19. Contacts http://www.ren-isac.net 24x7 Watch Desk: ren-isac@ren-isac.net +1(317)274-6630 Doug Pearson, Technical Director dodpears@ren-isac.net

More Related