Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

International Telecommunication Union An Insight into BDT Programme 3 Marco Obiso ICT Applications and Cybersecurity Division Telecommunication Development.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
The U.S. Coast Guard’s Role in Cybersecurity
DHS, National Cyber Security Division Overview
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
(Geneva, Switzerland, September 2014)
REN-ISAC Research and Education Networking Information Sharing and Analysis Center.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
1 Institutions as Allies in the Security Challenge Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush, James Madison.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Network security policy: best practices
Intellectual Property Protocol and Assessment for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the.
1 Fighting Back With An Alliance For Secure Computing And Networking Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 May 2006 … Identity management - Internet - Data controller - PKI - Vulnerabilities - Fingerprint - Critical Information Infrastructure - Privacy and.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Security Professionals Conference May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within.
US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.
Network Security Resources from the Department of Homeland Security National Cyber Security Division.
Chapter 6: Packet Filtering
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 Doug Pearson Indiana University Research and Education Networking ISAC
REN-ISAC Activities and REN-ISAC / Internet2 Focus Group Results Doug Pearson Technical Director, REN-ISAC Joint Techs, July 2005.
1 © 2003 Cisco Systems, Inc. All rights reserved. CIAG-HLS Security For Infrastructure Protection: Public-Private Partnerships KEN WATSON 15 OCT.
INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
1 State Homeland Security: Priorities and Funding R. Chris McIlroy Homeland Security and Technology Division National Governors Association.
InfraGard A Government and Private Sector Alliance Information sharing begins with human relationships – people talking with people whom they trust. Information.
NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.
What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Role Of Network IDS in Network Perimeter Defense.
Spring 2004 Internet2 Member Meeting NLR Service Center Update Dave Jent Indiana University.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,
Top 10 Challenges of the Academic Technology Community Veronica Diaz, John Campbell, Dennis Trinkle Wednesday, October 24, :50 p.m. - 4:40 p.m.
Educause/Internet 2 Computer and Network Security Task Force
Firewalls.
* Essential Network Security Book Slides.
Corporate Forum Presented by
Presentation transcript:

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright Trustees of Indiana University Permission is granted for this material to be shared for non-commercial educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via to

2 Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of the U.S. higher education strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the U.S. national cyber infrastructure by participating in the formal U.S. ISAC structure.

3 Community Served Phase I (current): –Internet2 membership Phase II (entering): –Internet2 and EDUCAUSE membership Phase III (to come) –Reach out to all of U.S. higher education through staged approaches, e.g. state networks, associations of small colleges, etc.

4 REN-ISAC Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of the U.S. higher education strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the U.S. national cyber infrastructure by participating in the formal U.S. ISAC structure.

5 an integral part of higher education’s strategy… Complementary Relationships REN-ISAC has core complimentary relationships with: –EDUCAUSE –Internet2 –EDUCAUSE and Internet2 Security Task Force –IU Global NOC and Abilene network engineering –IU Advanced Network Management Lab –IU Information Technology Security Office –US Department of Homeland Security & US-CERT –IT-ISAC –ISAC Council –SALSA

6 REN-ISAC Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of the U.S. higher education strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the U.S. national cyber infrastructure by participating in the formal U.S. ISAC structure.

7 supports efforts to protect national cyber infrastructure… Complementary Relationships US Department of Homeland Security - Information Analysis and Infrastructure Protection Directorate has the objective so implement the national strategy and to promote public/private partnerships for information sharing and analysis – ISACs. ISACs are encouraged in each critical sector of national security and the economy, e.g. IT, water, agriculture, energy, transportation, finance, etc. ISAC Council is a body of the private sector ISACs that promotes cooperation, sharing, and relation to DHS. National Cyber Security Partnership is a public-private collaboration focused on strategies and actions to assist the DHS National Cyber Security Division in implementation of the President’s National Strategy to Secure Cyberspace.

8 REN-ISAC Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

9 information collection, analysis, dissemination… Information Resources Network instrumentation Abilene NetFlow data Abilene router ACL counters Darknet Global NOC operational monitoring systems Daily cybersecurity status calls with ISACs and US-CERT Vetted/closed network security collaborations Backbone and member security and network engineers Vendors, e.g. monthly ISAC calls with vendors Security mailing lists, e.g. EDUCAUSE, FIRST, etc. Members – related to incidents on local networks

10 information collection, analysis, dissemination… Abilene NetFlow Analysis Through partnership with Internet2 and the IU Abilene NOC, the REN-ISAC has access to Abilene NetFlow data. In conjunction with the IU Advanced Network Management Lab the NetFlow data is analyzed to characterize general network security threat activity, and to identify specific threats.

11 information collection, analysis, dissemination… Abilene NetFlow Policy REN-ISAC & Internet2 NetFlow data policy agreement, highlights: –Data is anonymized to /21. Under perceived threat and at the request of involved institutions the REN-ISAC can selectively turn off anonymization. –Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly. –Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized.

12 information collection, analysis, dissemination… Abilene NetFlow Analysis Custom analysis –Aggregate reports –Detailed reports Data anonymized to /21

13 information collection, analysis, dissemination… Abilene NetFlow Analysis – Traffic Grapher IU ANML developed tool. Graph netflow by source and destination IP port numbers, IP addresses and networks (in CIDR format), and AS numbers. ICMP, TCP or UDP. Optimized performance.

14 information collection, analysis, dissemination… Traffic on Common and Threat Vector Ports Utilize Traffic Grapher to provide public views of Abilene traffic on common application and threat vector ports. Also utilize ACL counters in Abilene routers to collect and publish similar views.

15

16

17

18 information collection, analysis, dissemination… Arbor PeakFlow Analysis on Abilene Processes Abilene NetFlow data Intelligent identification of anomalies Abilene is by nature an anomalous network, e.g. bursts of high bandwidth flows. Need to: –Tune the PeakFlow system to reduce false alerts. –Incorporate into standard watch desk procedure. How to effectively share the information gained via Arbor?

19

20

21 information collection, analysis, dissemination… REN-ISAC Darknet A darknet is: –A block of routed IP space, typically /24 or larger, that contains no hosts other than the darknet collector. The collector listens to all traffic directed at the address block, hearing worm scanning and backscatter. The collector may optionally syn-ack connection requests in order to attempt to collect worm payload.

22 information collection, analysis, dissemination… REN-ISAC Darknet REN-ISAC in participation with the Internet Motion Sensor Send aggregate reports to community and host-specific reports to owning institutions: port 135/TCP :00:01 your.host.address.here :00:02 your.host.address.here :00:03 your.host.address.here :01:01 your.host.address.here port 445/TCP :00:01 your.host.address.here :00:02 your.host.address.here :00:03 your.host.address.here :01:01 your.host.address.here ETC...

23 REN-ISAC Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of the U.S. higher education strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the U.S. national cyber infrastructure by participating in the formal U.S. ISAC structure.

24 early warning, and response… Warning and Response REN-ISAC Watch Desk –24 x 7 –Co-located and staffed with the Abilene NOC –+1 (317) Public reports to the U.S. higher education community regarding analysis at aggregate views. Private reports to institutions regarding active threat involving their institution.

25 early warning, and response… Warning and Response Daily Reports –REN-ISAC Weather Report –Darknet Report Alerts Public views from monitoring systems

26 early warning, and response… Weather Report Daily Weather Report distributed via to closed/vetted communities, including: –REN-ISAC members –Inter-ISAC + DHS cybersecurity community Contains aggregate observations of threat traffic based on: –Abilene netflow –REN-ISAC darknet

27 Daily REN-ISAC Weather Report

28 Daily REN-ISAC Weather Report CRITICAL NOTICES

29 Daily REN-ISAC Weather Report NEW WATCHES

30 Daily REN-ISAC Weather Report ABILENE NETFLOW ANALYSIS

31 Daily REN-ISAC Weather Report DARKNET MONITOR – TOP PORTS

32 Daily REN-ISAC Weather Report NOTES

33 Daily REN-ISAC Weather Report REFERENCES

34 early warning, and response… Darknet Report Daily per-institution reports sent to REN-ISAC members: Contains observations from the REN-ISAC darknet of worm/scanning/etc. activity seen originating at the member networks.

35 Daily REN-ISAC Darknet Reports

36 Daily REN-ISAC Darknet Reports INDIVIDUAL REPORT PER INSTITUTION

37 Daily REN-ISAC Darknet Reports LIST DARKNET HITS BY SOURCE IP

38 Daily REN-ISAC Darknet Reports LIST OF WATCHED NETWORKS

39 Daily REN-ISAC Darknet Reports TIME-STAMPED DETAIL FILES

40 early warning, and response… Alerts Alerts are sent as required, distributed to: –REN-ISAC members and, as appropriate to: –Inter-ISAC + DHS cybersecurity community –UNISOG –EDUCAUSE security mailing list –NSP-SEC

41 Alerts: Example 1 Increased activity on TCP/5900; VNC backdoors? ALERT: “Increased activity on destination TCP/5900 – possibly scanning for VNC servers or for trojan’d systems with VNC backdoor.” “Observed in the REN-ISAC darknet...” “TCP/5900 is used by...” “Bugtraq lists a number of vulnerabilities” “We recommend…”

42 Alerts: Example 2 URGENT block recommendation ALERT: “URGENT block recommendation” “We recommend that institutions blocks these domains at their name servers and block the addresses at their border.” “... IFRAME vulnerability is being used to install malware…” References…

43 Alerts: Example 3 TCP/6101 scan activity increasing ALERT: “The REN-ISAC has started seeing scans against TCP/6101 beginning Wednesday, Jan 12…” “TCP/6101 scans are scouting for systems on which to attempt to exploit the Veritas BackupExec Agent vulnerability.” List of scanning hosts. “… we’re contacting the host institution or upstream provider…”

44 REN-ISAC Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

45 dissemination… Communications Challenge Early warning and response to threat requires the communication of timely and sensitive information to designated contacts. The proper contact is one who can act immediately, with knowledge and authority upon conveyed information, and who is cleared to handle potentially sensitive information. Publicly published contact points rarely serve those requirements. Privacy considerations prevent deep and rich contact information from being publicly published.

46 dissemination… Communications Challenge

47 dissemination… REN-ISAC Cyber Security Registry To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities. The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior. All registrations will be vetted for authenticity. Primary registrant assigns delegates. Delegates can be functional accounts. Currency of the information will be aggressively maintained.

48 dissemination… REN-ISAC Cyber Security Registry Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information. Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines. Related Registry information to serve network security management and response: –address blocks –routing registry –network connections (e.g. Abilene, NLR)

49 dissemination… REN-ISAC Cyber Security Registry Registry information will be: –utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow, –utilized by the REN-ISAC for early warning, –open to the members of the trusted circle established by the Registry, and –with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.

50

51

52

53

54

55

56

57 dissemination… REN-ISAC Cyber Security Registry The Registry will enable: –Appropriate communications by the REN-ISAC –Sharing of sensitive information derived from the various information sources: Network instrumentation; including netflow, ACL counters, and, operational monitoring systems Daily security status calls with ISACs and US-CERT Vetted/closed network security collaborations Backbone and member security and network engineers Vendors, e.g. monthly ISAC calls with vendors Members – related to incidents on local networks

58 dissemination… REN-ISAC Cyber Security Registry The Registry will enable: –Sharing among the trusted circle members –Establishment of a vetted/trusted mailing list for members to share sensitive information –Access to the REN-ISAC / US-CERT secure portal –Access to segmented data and tools: Segmented views of netflow information Per-interface ACLs Other potentials that can be served by a federated trust environment

59 Summary of Activities Within US higher education, provide warning and response to cyber threat and vulnerabilities; improve awareness, information sharing, and communications. Support efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure. Receive, analyze, and disseminate network security operational, threat, warning, and attack information. REN-ISAC Cyber Security Registry Operational 24 x 7 watch desk Daily information sharing with ISACs, US-CERT, DHS and others Cultivate relationships and outreach to complimentary organizations and efforts

60 Opportunities for Collaboration with APAN? Tools –Netflow tools –Darknet information analysis tools Information sharing –Such as daily reports and darknet information Common published views of activtity –Such as port traffic Other?

61 Links REN-ISAC – Internet2 – EDUCAUSE – EDUCAUSE and Internet2 Security Task Force – Indiana University Global NOC – IU Internet2 Abilene network engineering – SALSA: –

62 Links IAIP Daily Open Source Report – IU Advanced Network Management Lab – IU Information Technology Security Office – IT-ISAC – US-CERT – Flow Tools –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.