REN-ISAC by Fzd4JI

VIEWS: 4 PAGES: 16

									NSF Cybersecuity Summit
       May 2008
REN-ISAC Goal
The goal of the REN-ISAC is to aid and promote cyber security
protection and response within the higher education and
research (R&E) communities, through :
• the exchange of sensitive actionable information within a
    private trust community,
• the provision of direct security services, and
• serving as the R&E trusted partner within the formal ISAC
    community.
Benefits of Membership
• Participate, share information in the private trust community
• Receive actionable protection and response information, e.g.
  Daily Watch Report, Alerts, Advisories, and other
• Establish relationships with known and trusted peers
• Benefit from information sharing relationships constructed in
  the broad security community
• Benefit from vendor relationships (e.g. Microsoft SCP)
• Participate in technical security webinars
• Participate in REN-ISAC meetings, workshops, & training
• Have access to the 24x7 REN-ISAC Watch Desk
• Have access to active threat and other sensitive data feeds,
  e.g. for local IP and DNS block lists, sensor signatures, etc.
Membership
• Membership is open to:
   –   institutions of higher education,
   –   teaching hospitals,
   –   research and education network providers, and
   –   government-funded research organizations;
   –   international, although focused on U.S.
• Currently, membership guidelines are roughly:
   – must have organization-wide responsibilities for cyber security
     protection and response,
   – must be permanent staff, and
   – must be vouched-for (personal trust) by 2 existing members
   – http://www.ren-isac.net/membership.html
      Membership

500
450
400
350
300
                   People
250
200
150
100
 50
  0

250


200


150                Orgs
100


 50


  0
REN-ISAC is a Cooperative Effort
• Member participation is a cornerstone of REN-ISAC
• Advisory Groups
   – Executive Advisory Group: IU, LSU, Oakland U, Reed College, U
     Mass, UMBC, U Montana, Internet2, and EDUCAUSE
   – Technical Advisory Group: Cornell, IU, Neustar, MOREnet, Team
     Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI
• Analysis Teams
   – Microsoft Analysis Team: Colorado, IU, NYU, UIUC, U Washington
• Service development teams
   – Numerous
• Dedicated resource contributors: IU, LSU, Internet2
• Other major, e.g. systems , tools, coordination , etc:
   – LSU, Buffalo, Brandeis, WPI, and MOREnet
Information Sharing
• REN-ISAC is a private trust community for sharing
  sensitive information.
• The private and trusted character
   – provides a safe zone for the sharing of organizational incident
     experience,
   – protects information about our methods and sources, and
   – protects information which if publicly disclosed would abet our
     adversaries.
Information Products
• Daily Watch Report provides situational awareness.
• Alerts provide critical and timely information concerning new or
  increasing threat.
• Notifications identify specific sources and targets of active threat
  or incident involving R&E. Sent directly to contacts at involved sites.
• Feeds provide specific identifying information regarding known
  active sources of threat; useful for IP and DNS block lists, sensor
  signatures, etc.
• Advisories inform regarding specific practices or approaches that
  can improve security posture.
• TechBurst webcasts provide instruction on technical topics relevant
  to security protection and response.
• Monitoring views provide summary views from sensor systems,
  useful for situational awareness.
Notifications Sent


  14000

  12000

  10000

   8000

   6000

   4000

   2000

      0
      Information Products: Notifications:
      REN-ISAC EDU Storm Worm Daily Notifications
800                                                                                                              number of notifications
                                                                                                                 ecard
700
                                                                                                                 ecard run #2
600                                                                                                              phishy
                                                                                                                 help
500                                                                                                              video
                                                                                                                 labor day
400
                                                                                                                 privacy
300                                                                                                              nfl
                                                                                                                 arcade
200

100

  0
      2/21   3/7   3/21   4/4   4/18   5/2   5/16   5/30   6/13   6/27   7/11   7/25   8/8   8/22   9/5   9/19




       Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding
           compromised systems operating in the Storm Worm botnet.
REN-ISAC sent daily notifications identifying the compromised machines
      to security contacts at the machine-owning organizations.
      Information Products: Notifications:
      REN-ISAC EDU Storm Worm Daily Notifications
800                                                                                                              number of notifications
                                                                                                                 ecard
700
                                                                                                                 ecard run #2
600                                                                                                              phishy
                                                                                                                 help
500                                                                                                              video
                                                                                                                 labor day
400
                                                                                                                 privacy
300                                                                                                              nfl
                                                                                                                 arcade
200

100

  0
      2/21   3/7   3/21   4/4   4/18   5/2   5/16   5/30   6/13   6/27   7/11   7/25   8/8   8/22   9/5   9/19




              Notifications quickly and dramatically blunted the severity
                              of Storm infections in EDU
      Information Products: Notifications:
      REN-ISAC EDU Storm Worm Daily Notifications
800                                                                                                              number of notifications
                                                                                                                 ecard
700
                                                                                                                 ecard run #2
600                                                                                                              phishy
                                                                                                                 help
500                                                                                                              video
                                                                                                                 labor day
400
                                                                                                                 privacy
300                                                                                                              nfl
                                                                                                                 arcade
200

100

  0
      2/21   3/7   3/21   4/4   4/18   5/2   5/16   5/30   6/13   6/27   7/11   7/25   8/8   8/22   9/5   9/19



       Throughout July and August, utilizing the Internet2 Arbor Networks
      Peakflow system, REN-ISAC detected and responded to ~dozen Storm
       Worm DDoS attacks transiting the Internet2 network. On Sept 9 R-I
                     issued an Alert to the R&E community,
                 “Storm Worm DDoS Threat to the EDU Sector”
      Information Products: Notifications:
      REN-ISAC EDU Storm Worm Daily Notifications
800                                                                                                              number of notifications
                                                                                                                 ecard
700
                                                                                                                 ecard run #2
600                                                                                                              phishy
                                                                                                                 help
500                                                                                                              video
                                                                                                                 labor day
400
                                                                                                                 privacy
300                                                                                                              nfl
                                                                                                                 arcade
200

100

  0
      2/21   3/7   3/21   4/4   4/18   5/2   5/16   5/30   6/13   6/27   7/11   7/25   8/8   8/22   9/5   9/19




                   The Microsoft MSRT (Malicious Software Removal
                          Tool) is updated for Storm on 9/11
Priorities for the Coming Year
Not in priority order:
• Membership growth
• Implement the two-tiered membership model
• Implement the sustainability & growth business plan
• Facilitate various forms of member involvement and
  contribution
• Development of additional information sharing relationships,
  and care and feeding of existing relationships
• Assessment of current services and member needs
• Scanning Services project
• Cyber Security Registry
• Various tool and service projects
How to Join
• http://www.ren-isac.net/membership.html
• Paraphrased:
   – must have organization-wide responsibilities for cyber security
     protection and response,
   – at an institution of higher education, teaching hospital, research and
     education network provider, or government-funded research
     organization,
   – must be permanent staff, and
   – must be vouched-for (personal trust) by 2 existing members.
Contacts

 http://www.ren-isac.net
 24x7 Watch Desk:
     soc@ren-isac.net
     +1(317)278-6630

 Doug Pearson, Technical Director
     dodpears@ren-isac.net
 Mark Bruhn, Executive Director
     mbruhn@iu.edu
 Gabriel Iovino, Principal Security Engineer
     giovino@ren-isac.net

								
To top