1. Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director REN-ISAC@Indiana University Copyright Trustees of Indiana University 2003. Permission is granted for this material to be shared for non- commercial educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via email to itpo@iu.edu)

2. Basics Part I Sharing experiences and practices amongst organizations has long been known to improve operations in those individual organizations, and in those communities Security information sharing was encouraged by Presidential (Clinton) Decision Directive 63 Various sectors of the economy experience different events and threats Sharing amongst sectors, with assurances that proprietary information will be protected, increases the scope and the resulting benefit of that sharing

3. Basics Part II The National Infrastructure Protection Center (now part of the Department of Homeland Security) was tasked to coordinate sharing centers representing various sectors Higher education was NOT represented in the initial structure, and so did not participate in (or benefit from) this scheme Interactions between Indiana University, EDUCAUSE, and Internet2, with Clarke and others in US government lead to discussions of higher education representation The Educause/Internet2 joint security task force encouraged the creation of a “higher education sharing center”

4. Basics Part III Indiana University has a unique view of various national and international R&E networks, including Abilene Global NOC monitors networks 24x7 Network and Security Engineers are some of the best in the country Advanced Network Management Lab (Wallace) located at IU is involved in advanced security research Network instrumentation provides specific information about security events REN-ISAC an enhancement of security services provided by IU to the Internet2 community Hosting REN-ISAC (as part of national ISAC structure) at Indiana University was formalized in D.C. on February 21, 2003

5. REN-ISAC “Members” Basic REN-ISAC members are all U.S. universities and colleges that are connected to national R&E networks. Campuses connected to Abilene are the initial core members –Contact information will be gleaned from information held by the GNOC, augmented with information for campus incident response functions –Abilene-connected sites will have a means to register other individuals or functions Extended members are any universities and colleges interested in receiving ISAC reports –Campuses will be given a means to register and maintain contact information REN-ISAC service will be 24x7 –To make full use of REN-ISAC services, campuses are encouraged to identify a 24x7 contact person or persons, if they do not have a 24x7 operation

6. REN-ISAC: Basic Functions The ISAC will receive and analyze operational, threat and warning, and actual attack information: –Received from the NIPC, other ISACs, and other sources –Received from ISAC member campuses related to incidents on local network backbones –Received from network engineers related to incidents on national R&E network backbones –Derived from network instrumentation Analysis would be performed related to: –Unscheduled outages and degraded operations –Security-related events such as DDoS attacks, virus alerts, systematic network vulnerabilities scanning, systematic spoofing –Other anomalies that constitute or may constitute a serious threat to the networks and associated systems of the REN- ISAC membership

7. REN-ISAC Reporting General periodic reports from the REN-ISAC will be sent as a result of –Proactive monitoring of network instrumentation, where an anomaly has been detected by staff of the “REN-ISAC Watch Desk” –Reports from member campuses related to serious degradation from an as-yet-unknown cause, or where that organization reports that their systems are being used to source, or are being victimized by, a network attack of some type –Requests for information/analysis related to specific reports of degradation or attacks from specific campuses, government agencies, or other sector ISACs

8. REN-ISAC: Reports to Members To the seemingly-affected campuses (victims or sources), in real-time, so that those organizations can immediately identify and stop the activity, and/or recover and repair as necessary Generally to all member campuses as soon as possible during the business days following an event, where incident information could help those organizations improve security and/or avoid future impact To all or specific contacts in other national and regional ISACs, in real-time or as soon as possible during the following business days, where incident information could help members of those associations improve security and avoid future impact

9. REN-ISAC: Reports to the NIPC In real-time, for anomalies that are negatively impacting the operation of a [number of member campuses] Post-event, where an event did not, but had the potential to negatively impact the operation of a [number of member campuses] Significant network degradation -- failure of several nodes or unusual latency Loss or degradation of REN-ISAC network monitoring capability – portions of the networks aren’t visible Reporting to the NIPC will generally NOT identify specific member campuses, unless the campuses involved agree to have their identities included –In cases where there is an active investigation by law enforcement, the involved campuses will be given contact information for the investigating agency and encouraged to make that contact unilaterally

10. ISAC Futures A Higher Education ISAC with a broader service set is needed, to deal with other campus security issues (system, virus, assessment, etc.) REN-ISAC may be/could be expanded to encompass these services