*Attending*

Chris Misra, U. Mass (Chair)
Joe St. Sauver, U. Oregon
Brian Smith-Sweeney, NYU
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)

*Action Items*
[AI]{Chris} Send note to CSI2 list with time of conference call to build the agenda for the REN-ISAC members meeting.
[AI] {Chris} Send agenda for CSI2 face-to-face to CSI2 list.
[AI]{ALL} RSVP for CSI2 face-to-face on March 5-6. RSVP no later than Jan. 23 (TO WHO?)

*Carryover Action Items*
[AI] {Chris} Follow-up with Renee by email concerning the CSI2 meeting planned for the Cambridge, MA, area. Chris and Renee will coordinate the hotel and other logistics.
[AI] {Chris} Coordinate an agenda-building call for the REN-ISAC meeting. Participating from CSI2 will be Doug, Brian and Chris.
[AI] {Doug} Organize a call to have a discussion with those who want to actively participate in getting data from their institution to the shared darknet.
[AI] {Doug, Nick} Talk off-line about how to filter some of the extraneous information that is showing up in their darknets. Doug will also send some of his data to Nick.
[AI] {Phil} Post to the list a summary of ideas concerning how to approach a data retention policy.
[AI] {Doug} Send requirements definitions developed by the Indiana Univ. senior project students to CSI2 list.
[AI] {Chris and Doug} Connect with NoX GigaPOP folks for Arbor information.
[AI] {Chris} Create project plan on using UMass for first data source for shared darknet.
[AI] {Nick} Normalizing data and noise reduction -- put together suggestions of what makes sense to be done at the end-user site and what makes sense to do centrally (to list and to wiki).

*Discussion Items*

*REN-ISAC Meeting*
The announcement has been sent for the REN-ISAC member meeting, April 12, 2007, following the security professionals conference. The member meeting will take place from noon until 5:30 pm, with a couple of presentations planned. The registration fee will be $30-$35. An agenda-building conference call will take place sometime next week. Doug, Brian and Chris will be involved from CSI2. There will also be at least two REN-ISAC members on the call. [AI] {Chris} Chris will send a note to the CSI2 list with the time of the call.

*Shared Darknet*
Brian reported that he has been talking to David at REN-ISAC on the current status of data collection. David has a good plan for retrieving data from different sites (SCP). Data will be retrieved on a daily basis with date and time stamps. All major file flow formats are covered. Brian believes the system is ready to go, with conversions taking place and anonymization taking place on the client side. We hope to have 3-4 data sources worked out in the next couple of weeks.

*CSI2 Working Group Meeting*

The CSI2 working group meeting is scheduled for March 5-6 in Cambridge, MA, with the hotel to be determined. The DoJ grant will fund the registration fee and hotel costs. [AI] {Chris} Send will send an abstract to the CSI2 list. [AI]{ALL} RSVP for working group meeting no later than Jan. 23 to Chris and SteveO.

Chris asked for recommendations on agenda items. The agenda will include some of the issues from the regular conference calls:

RENOIR—We will talk in detail about encryption of tickets and the transport of data across RENOIR

Shared darknet – We will discuss how to get useful data out of shared darknet data and the goals we are trying to meet, what intelligence trying to pull out of the data.

Other tool sets – What other tool sets should this group be investigating/recommending to people? REN-ISAC is working on some things that might be useful. Are there other security tools that are not yet developed that we could put some effort into? What needs do we perceive in the community? What tools might we develop or what existing tools might we recommend? Part of the working group’s charter is to assess and evaluate current tools. This might be a poster board/white board discussion.

There was a discussion about the types of issues and tool sets that CSI2 might investigate. Joe discussed the rise of firewalls and encrypted traffic and how that has led to more agent-based tools that probe for vulnerabilities. There does not seem to be a consensus around open source agent-based tools.

Brian mentioned that there have been changes in the landscape, such as in malware and attacker activity, that makes some tools less useful or obsolete. Scanning tools, for example, are less useful than they used to be, but no one seems to be looking at what is no longer working. What do we need to address new threats coming up?

Chris agreed, saying that there is marketing value in looking at what isn’t being solved and what isn’t working. One question to ask: if you were bringing up a security team now, what should you spend your time on? Steve said a report from this meeting, about this topic, would provide an opportunity to communicate to the vendor community—this is what we aren’t seeing in your product offerings and would like to see.

Another area not being developed is event management and intelligent event correlation, according to Brian. This is another potential area for discussion and development. Another is protection of sensitive data – there is almost nothing in the open source area on that issue.

Joe said that e-discovery has the potential to overwhelm system administrators and IT professionals. Some attorneys are starting to specialize in this area of the law. Distributed systems make this a difficult problem. If you were required to gather documents and emails related to Topic X, and a lot of the data are on distributed systems, how would you ever retrieve it? What are some ways to approach complicated data retention policies?

Chris brought up another topic area: web application assessment space, which includes automated or semi-automated tools that will probe a web-based application for known weaknesses. Should the working group be looking at that? Brian said he believes so. Even if the working group didn’t do a lot of development work, there would be value in recommending any open source applications/tools that currently exist.

***
Recapping the Topic List

Renoir
Shared Darknet
Agent-based tools
Trends in malware/attacker activity
Event correlation
Protection of sensitive data
e-discovery
Relevance of data retention and having data retention policies.
Web application assessment space

*******************************

The next call is scheduled for Thursday, February 1, at 2:30 pm EST