Salsa
Computer Security Incidents - Internet2
(CSI2) Working Group
Minutes
| Mailing List | Documents
| Links
Draft Charter
BACKGROUND and GOALS
Being connected to the network now means being exposed to a variety of threats.
Organizations have evolved a variety of formal and informal methods for identifying,
investigating and sharing information about these threats. However, the community
at large still lacks a common methodology/process for communicating among its members.
Operating under of the umbrella of the EDUCAUSE/Internet2 Computer and Network Security
Task Force, Internet2 has created this working group to address pertinent issues
in this space.
The Computer Security Incidents - Internet2 (CSI2) Working Group will organize
activities to identify how security incidents can be better identified and the information
about the incidents to be shared to improve the overall security of the network
and the parties connected to the network. To this end, the working group will publish
a report identifying tools, tool output and existing information sharing frameworks
as a background for future systems.
It will be difficult to make tangible progress on developing tools or procedures
without understanding the policy space, particularly around security approaches
that share data. This group will not be expected to promulgate policy best practices
but will explore the current operational bounds on data exchange (based on existing
policies) and identify what other policy questions are raised as tools are developed
for data exchange and analysis.
ACTIVITIES
To discuss security incidents between organizations first requires a framework to
ensure common ground. Initial discussions have identified that two conversations
will need to commence and can be broadly described as:
- Tools: inventory of existing tools and their data output, sharing formats such
as IODEF
- Data: retention, anonymization, related policies
Tools:
The working group will inventory the tools currently used by the community to collect
data regarding security incidents.* The inventory will not pass judgment about the
tools, but rather be used to understand the types and formats of the data being
collected.
The working group will identify existing information sharing frameworks and leverage
existing semantics and syntax. Gaps or missing elements will be identified and potential
solutions suggested. Policy issues relating to the sharing of data will be identified
and used to frame policy discussions as previously noted. There may be some low-hanging
fruit, such as shared darknet data, that can be done safely and motivate policy
development.
Once the inventory is complete, the working group will encourage individual organizations
to work with the Security Task Force to identify effective practices to be shared
across the community at large.
Data:
Data collection inside of an organization is straightforward compared to the inter-organizational
sharing of data. The working group will identify issues relating to:
- anonymization
- data retention policies inside of an organization
- assumptions regarding data when shared (whose retention policy should be used)
Currently, the REN-ISAC is in a position to take a leadership role in this discussion.
They are in a position to have been exposed to a wide variety of policies and will
soon need to address these issues on their own. The working group will leverage
work completed by the REN-ISAC and assist if gaps are identified or if alternatives
are deemed necessary.
OUTPUT
The working group will be initiated with the goal to create a document similar to
the NetAuth Strategies for Automating Network Policy Enforcement Document.
The goal will be to complete this document within 12 months of the charter's acceptance.
Consistent with the charter, the document will outline current tools which are in
use and the types of data collected. Following, an assessment of the data should
occur identifying the subset of the data that would be useful to share. A long-term
goal might to motivate the development, via open source or commercial product, of
code and tools that can assist in the data sharing.
To bootstrap the sharing of information, it will be assumed that sharing will
start with fully anonymized data, and data that is not sensitive (such as darknet
logs). From this point, policy implications can be explored and experience gained
in the details and implications of data sharing.
With this experience, we hope that conversations about the sharing of data (ranging
from full anonymization to zero anonymization) can be explored more effectively.
* Tools: We expect the list of current tools to include software such as Nessus,
Snort, and Bro.
NOTE WELL:
All Internet2 Activities
are governed by the Internet2
Intellectual Property Framework.
|
Minutes of Salsa-CSI2
Conference Calls |
|
|
|
Mailing List
To subscribe to the Salsa-CSI2 Announcement list, for news and updates, send email to sympa
at internet2 dot edu, with the subject line:
subscribe <list name>
For example:
subscribe salsa-csi2-announce
To unsubscribe, send email to sympa
at internet2 dot edu, with the subject line:
unsubscribe salsa-csi2-announce
Draft
Documents
These documents are works
in progress. For more information
on the status of these documents,
see the Internet2
Document Guidelines.
For reference see also the
Internet2
Document Library.
Final Documents
Presentations
Links - Overview
Links - Technical
- Darknet Map
This map shows the source addresses of hosts detected by
the IMS darknet network over one day in Oct 2005. (TCP
packets only)
Internet2 Security | Salsa
| 
