Salsa-CSI2 Call - March 29, 2007

Salsa-CSI2 Conference Call
March 29, 2007

**Attending**

Chris Misra, U. Mass (Chair)
Doug Pearson, Indiana/REN-ISAC
Phil Deneault, WPI
Brian Smith-Sweeney, NYU
Joel Rosenblatt, Columbia Univ.
Elliott Kendall, Brandeis Univ.
Steve Olshansky, Internet2
Renee Frost, Internet2
Dean Woodbeck, Internet2 (scribe)

**Action Items**

[AI] {Doug and Elliott} will talk about possible Brandeis interest in
participating in the shared darknet.

[AI] {Doug} will follow-up with MIT about the use of GRE tunnels for
submitting data to the shared darknet

[AI] {Chris} will touch base with Joe St. Sauver on the process for
developing a tools taxonomy.

[AI] {All} Refine thoughts on the information Brian provided to the
email list concerning a tools taxonomy and identifying effective
tools, and defining the problem space of a shifting landscape.

*Carryover Action Items*

[AI] {Doug and Brian} and possibly others will discuss proposed
participation guidelines for the shared darknet.

[AI] {Dean} and {SteveO} will prepare a draft report from the
Cambridge Face2Face and distribute a draft to the list for review by
March 23.

[AI] {Chris} Add WCLSCAN (a Japanese network monitoring project) to agenda.

[AI] {TBD} Normalizing data and noise reduction -- put together
suggestions of what makes sense to be done at the end-user site and
what makes sense to do centrally (to list and to wiki).

*****

The minutes from March 15, 2007, are approved as submitted to the email list.

**CSI2 Face2Face Meeting Follow-Up**

Dean and SteveO have been working on the report and it is close. The
report will go to the list, then go to DoJ, and then will be posted
publicly.

Other next steps:
RENOIR: We have a sense of next steps, based on Phil's list from last call.

Shared Darknet: The "next step" areas include the participation
agreement, a policy document, and questions about data retention
(including issues on anonymization).

Open Source security tools: Brian posted some thoughts to the email list today.

**Shared Darknet**

At this point, Indiana University and NYU are participating. Others
are also working on participating. Doug also has some follow-up to do
with some of the participants of the CSI2 Face2Face. Cornell may be a
good candidate, since they are doing Netflow very much like NYU.

Doug reported that normalization scripts are complete for Netflow and
the University of Michigan IMS-based system, and the script is almost
completed for Argus. REN-ISAC is still working through policies and
reporting issues. Elliott Kendall expressed an interest for Brandeis
to participate.

Doug will follow-up on additional input mechanisms, including Argus
and GRE tunnels (MIT).

**Security Professionals Conference**

Doug provided an agenda in February for the REN-ISAC face-to-face and
there have been no major changes. The head count is at about 70. This
is being done as a post-conference seminar on April 12, 2007.

The REN-ISAC BoF will take place Wednesday night (April 11) and will
be oriented toward new people with questions about signing up.

A CSI2 dinner will also be held Wednesday night (April 11) at 6:30 pm.
It will be a working dinner and the working group will touch base on
various projects.

**RENOIR**

Phil and Chris are meeting with Pat Kane (Boston College) of the
anti-phishing working group on March 30 and discuss IODEF. The
anti-phishing group uses IODEF, as will RENOIR.

**Security Tools**

Brian sent an email to the list reviewing the Face2Face discussion of
a tools document. The advantages of this document and tool taxonomy
will be providing information about the niche that each tool is trying
to fill. The email also discussed the audience (who the taxonomy is
aimed at): 1) people who have money and want to buy a tool, so they
look to see what is there; and 2) people who know what they want and
need to know which tool provides their needed functionality.

In addition to the tool taxonomy, the working group discussed
addressing the shifting landscape and why some tools are no longer as
effective as they used to be. Part of this issue is context sensitive
– that is, the tool may or may not be effective, depending on the
problem an organization is trying to solve.

Elliott asked if there are plans for a "best practices" document, such
as a quick list of tools that will help you immediately. Doug replied
that there are efforts underway within Educause, Internet2 and the
CSI2 working group. Joe St. Sauver (Internet2/University of Oregon) is
involved in all three of these, so they are really one effort but with
different contexts. In addition, it would be nice to have a "top 5"
list of tools for an institution that is just developing a security
program.

[AI] {Chris} will touch base with Joe St. Sauver on the process for
developing this taxonomy to ensure that there isn't a duplication of
efforts.

[AI] {All}: Refine thoughts on the information Brian provided to the
email list concerning a tools taxonomy and identifying effective
tools, and defining the problem space of a shifting landscape.

**Next call: April 26, 2007**