Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.

Published byMeagan Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006."— Presentation transcript:

1 1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006

2 2 24x7 Watch Desk +1(317)274-6630 ren-isac@ren-isac.net Doug Pearson Technical Director, REN-ISAC Indiana University dodpears@ren-isac.net

3 3 REN-ISAC Activities A vetted trust community for R&E cybersecurity Information-sharing and communications channels Information products aimed at protection and response Participation in mitigation communities Incident response 24x7 Watch Desk ( ren-isac@iu.edu, +1 317 274 6630) Improvement of R&E security posture Participate in other higher education and national efforts for cyber infrastructure protection

4 4 Trust Community for R&E Cybersecurity A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization. http://www.ren-isac.net/membership.html

5 5 Information Sharing Closed Community. Unless authorized for public disclosure, information is shared only within the trust community. Strict rules are enforced. This: –prevents information regarding methods of intelligence gathering and response from being exposed to blackhats, –reduces the contribution to evolutionary pressure on malware, trojans, etc., –prevents unauthorized or unintended disclosure concerning institutions involved in incidents, and –protects identities of individuals involved in response Protected Identities: Unless otherwise necessary, the identities of machines, institutions, or people involved in incidents are shared only to the sites involved.

6 6 Information Sources Network instrumentation and sensors –Abilene netflow –Arbor Networks Peakflow SP –Darknet, honeypots –Global NOC operational monitoring systems Direct reconnaissance Information sharing relationships –Private network security collaborations –Members –Daily security status calls with ISACs and US-CERT –Backbone network and security engineers –Vendors, relationships and monthly ISAC conferences –Relationships to national CERTs

7 7 Information Products The Daily Weather Report provides an aggregate- level analysis aimed to help situational awareness and to provide actionable protection information. Alerts provide critical, timely, actionable protection information concerning new or increasing threat. Notifications identify specific sources and targets of active threat or incident involving member networks. Threat Information Resources provide information regarding known active sources of threat. Advisories inform regarding specific practices or approaches that can improve security posture. Monitoring views provide aggregate information for situational awareness.

8 8 Recent new member services BotNet Tracker service: provides members with a rich list of known botnet command and control domain names and IP addresses. Secure IRC: provides a means for members to securely communicate in real time. Secure Wiki: provides a controlled access space for members to directly share information and documentation. TechBurst Webcasts: 30-minute webcasts on technical topics of concern to the R&E security community. Last month: Botnet Detection Using DNS Methods, coming up: Introduction to NetFlow, and Advanced Netflow Topics

9 9 New services in pilot phase Pilot/trial of centralized Arbor Networks Peakflow SP service provided to gigapops. –Central collector receives netflow from participating gigapop –Integrated with the overall Abilene backbone Arbor –Segmented, connector-specific views provided to participants through Arbor Customer Portal feature –DDoS and worm/malware automated threat feed features –Hardware is installed –If you're interested and/or want to participate see Doug Pearson

10 10 New services on immediate horizon Shared Darknet Project –A wide-aperture darknet sensor –Members who run local darknets send their collector data (minus the hits from their own institution) to REN- ISAC. Data is analyzed to identify compromised machines by IP address, destination ports involved, the number of "hits" seen, and timestamps of the activity. –The REN-ISAC sends notifications of infected machines to source institutions and develops reports of aggregate activity and trends. Warez IRC servers –List of known warez IRC servers

11 11 New services on immediate horizon Passive DNS replication –Useful to determine domain name for miscreant servers placed on hacked/infected machines. Similar to RUS- CERT service*, but with a view to what US R&E is experiencing. * http://cert.uni-stuttgart.de/stats/dns-replication.phphttp://cert.uni-stuttgart.de/stats/dns-replication.php Vendor relationships –Representative relationship with Microsoft Security Resource Center. Regional Security Groups –Facilitate organizational interactions of regional security working groups, particularly aimed to assist new/developing groups.

12 12 Working on (longer term) Inter-organizational incident tracking system –RENOIR; use of IODEF, worked on in SALSA CSI2 Malware sandbox

13 13 Upcoming activities Abilene Operational Security Exercise –First held November 2005: ▪ Day-long “table top” exercise (talking only, no flows) ▪ Abilene backbone infrastructure attacks, 2 scenarios ▪ Report identifies ~40 observations –Second to be held fall 2006(?) ▪ Plan to include domestic and international participants ▪ If you’re interested to participate and/or have ideas please see me!

14 14 Members 200 members, 111 institutions Currently ~<50% of Abilene Participants are REN- ISAC members. Making an effort to get all Participants and Connectors enrolled as REN-ISAC members. –http://www.ren-isac.net/membership.htmlhttp://www.ren-isac.net/membership.html

15 15 Some numbers During the first quarter of 2006 REN-ISAC sent: –notifications to 466 distinct.EDU sites regarding ▪ 192 botnet c&c's, ▪ 9839 bot zombies, ▪ over 400 worm infected systems, ▪ 17 DDoS events, ▪ 49 other assorted abuses, and ▪ 13,807 bot zombies to non-edu mitigation groups.

16 16 REN-ISAC Membership To –Join the vetted membership –Receive REN-ISAC information product –Participate in information sharing http://www.ren-isac.net/membership.html Doug Pearson PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu http://www.ren-isac.net http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

Download ppt "1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006."

Similar presentations

INDIANAUNIVERSITYINDIANAUNIVERSITY Abilene Security Exercise James Williams Director – International Networking and Operational Assurance Indiana University.

INDIANAUNIVERSITYINDIANAUNIVERSITY Abilene Security Exercise James Williams Director – International Networking and Operational Assurance Indiana University.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10, 2008 1.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Security BoF: What Are The Community's Open Questions? Joe St Sauver, Ph.D. or Manager, Internet2 Nationwide Security.

Security BoF: What Are The Community's Open Questions? Joe St Sauver, Ph.D. or Manager, Internet2 Nationwide Security.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.

REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.

1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Higher Education-Industry Collaborations to Improve Security Joy Hughes, George Mason University Peter Siegel, University of California, Davis Jack Suess,

Higher Education-Industry Collaborations to Improve Security Joy Hughes, George Mason University Peter Siegel, University of California, Davis Jack Suess,
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Similar presentations

Ads by Google