SALSA-NetAuth – CSI2 conference call March 30, 2006

SALSA-CSI2 conference call
March 30, 2006

*Attendees*
Chris Misra, U. Mass (Chair)
Phil Deneault, WPI
Brian Smith-Sweeney, NYU
Chas DiFatta, CMU
Nick DePetrillo, OSHEAN
Charles Yun, Internet2
Steve Olshansky, Internet2
Jessica Bibbee (scribe)

New *Action Items*
[AI] {Chris} will organize a call next week for a technical discussion of the diagrams.
[AI] {Volunteers} are needed to contribute to the Shared Darknet document; contact {Chris}.
[AI] {Nick} will email the list with information regarding noise reduction from darknets.

Carry-over *Action Items*
[AI] {Group} will send related link suggestions for the CSI2 website to {SteveO.} (16-Mar-06)
[AI] {Group} if anyone has suggestions along noise reduction approaches for darknet data, please float to the list. (16-Mar-06)

*Discussion*
The SALSA-CSI2 Working Group website is now available: <http://security.internet2.edu/csi2>. .

There will be a CSI2 dinner on Monday at the upcoming EDUCAUSE & Internet2 Security Professionals Conference, April 10-12; contact {SteveO} if you plan to attend. In addition, the conference has the following two sessions of interest:
- Building a Campus DShield - <http://educause.edu/SEC06/Program/8339?PRODUCT_CODE=SEC06/SESS16>
- Mining Flows for Intrusion Data - <http://educause.edu/SEC06/Program/8339?PRODUCT_CODE=SEC06/SESS18>

The Spring 2006 Internet2 Member Meeting will be on April 24-26 <http://events.internet2.edu/2006/spring-mm/>. There will be a number of security track sessions, including an EDDY presentation by {Chas and Mark Poepping}.

{Phil} discussed his three RENOIR diagrams, which are now located on the wiki: Shared Darknet Reporting, Daily Weather Reports, and General Incident Handling. The diagrams prompted discussion regarding the movement of data in darknets – how to transport, integrate, etc. Is all (flow) data anonymized before leaving, and does that really ensure security at any scale? The diagrams will remain working documents until more information (on EDDY, etc.) can be added.

Reporting is a mechanism for campuses to transfer data and handle incidents. It is important to have a central location for inserting events or incidents into a system where it can then be handed back to the community or aggregated to a larger space, such as REN-ISAC.

{Chas} shared how CMU normalizes Argus data, puts it into their Information Security Office where it becomes an EDDY dragnet; it is then possible to see who are the top talkers at any point in real time. He suggested a document detailing use cases would prove a useful tool for specifying desirable characteristics of a system.

The RENOIR file discusses methods for how to manage the structure for organizing data in an efficient way. Events can be classified according to three levels: LEVEL 1 – incident or flow data (raw event), LEVEL 2 – cooked data, and LEVEL 3 – analyzed data. The correlation header is meant for routing events – securing transport, routing, filtering, and operation (anonymizing, consuming, etc.) of events. Scale become an issue, as you store events in real-time. Other feedback mechanisms include event and query channels; there is still a need to have a common log format to manipulate data easily via a variety of tools. The Group discussed the building of an inter-institutional security system – what needs to be done, and how should it be done. [AI] {Chris} will organize a call next week for a technical discussion of the diagrams.

{Brian} commented on {Doug Pearson’s] email regarding darknets – how to define, various uses, etc. Who should be responsible for scrubbing data – the source or REN-ISAC? {Chas} raised several questions regarding ownership of data – how will it be used, how are they permitted to pass it on, is there policy regarding insertion of tracers within a darknet? Before these questions can be answered, the definition of data must be clearly agreed upon. This topic will be carried over onto the mailing list or the next WG call.

The Group agreed to detail shared networking with examples. [AI] {Volunteers} are needed to contribute to the Shared Darknet document; contact {Chris}.

{Nick} gave an update on distributed IDS. He discussed being able to click on an alert and can view a generated graph with darknet data. Formatting is still in-process, but there is funding, hardware, and data for the project. He is trying to keep a manageable number of events in the database (couple thousand per location), without overloading it. [AI] {Nick} will email the list with information regarding noise reduction from darknets.

The next SALSA-CSI2 WG call will be Thursday, April 13, 2006 at 2:30pm ET.