Salsa-CSI2 Call - January 4, 2007

Minutes Salsa-CSI2 Conference Call
January 4, 2007

*Attending*

Chris Misra, U. Mass (Chair)
Brian Smith-Sweeney, NYU
Phil Deneault, WPI
Doug Pearson, Indiana/REN-ISAC
Kevin Amorin, Harvard
Nick DePetrillo, OSHEAN
Steve Olshansky, Internet2
Renee Frost, Internet2
Dean Woodbeck, Internet2 (scribe)

*Action Items*
[AI] {All} Comment on Phil's RENOIR document by Jan. 9. At that time it will go public.
[AI] {Chris} Follow-up with Renee by email concerning the CSI2 meeting planned for the Cambridge, MA, area. Chris and Renee will coordinate the hotel and other logistics.
[AI] {Chris} Coordinate an agenda-building call for the REN-ISAC meeting. Participating from CSI2 will be Doug, Brian and Chris.
[AI] {Doug} Organize a call to have a discussion with those who want to actively participate in getting data from their institution to the shared darknet.
[AI] {Doug, Nick} Talk off-line about how to filter some of the extraneous information that is showing up in their darknets. Doug will also send some of his data to Nick.
[AI] {Phil} Post to the list a summary of ideas concerning how to approach a data retention policy.

*Carryover Action Items*
[AI] {Chris} Send proposed dates to Renee for CSI2 working group face-to-face in Jan/Feb.
[AI] {Chris} Choose location for CSI2 working group face-to-face in Jan/Feb.
[AI] {Doug} Send requirements definitions developed by the Indiana Univ. senior project students to CSI2 list.
[AI] {Chris and Doug} Connect with NoX GigaPOP folks for Arbor information.
[AI] {Chris} Create project plan on using UMass for first data source for shared darknet.
[AI] {Nick} Normalizing data and noise reduction -- put together suggestions of what makes sense to be done at the end-user site and what makes sense to do centrally (to list and to wiki).

*Discussion Items*

*CSI2 Working Group Meeting*
After discussion, the meeting is tentatively scheduled for March 5-6 in the Cambridge, MA, area. The meeting will start Monday afternoon and continue all day Tuesday with no more than 20 people – the working group and perhaps others who might be good resources. The intent is to discuss RENOIR, the shared darknet and other projects, and map out progress and needed progress in these areas. Funding from the DoJ award will cover meals and lodging and there will be no registration fee. [AI] Chris will follow-up with Renee by email to book a hotel and work out the logistics.

*REN-ISAC MEETING*
The REN-ISAC seminar following the security professionals meeting has been announced. The seminar will take place April 12, 2007, from noon until 5:30 pm. Chris reported that, with DoJ funding supporting this, we need a formal agenda, which will be developed during a call involving some CSI2 members and some REN-ISAC members. [AI] Chris will set a time for an agenda-building call for the REN-ISAC meeting. Call participants from CSI2 will be Doug, Brian and Chris.

The agenda is open. We want to focus on agenda topics appropriate for a closed, members-only meeting. There will be an open session at some other time.

Chris reported that Educause has been informed about this and that there will be a nominal registration fee to ensure people are serious about attending when they register.

*REN-ISAC REGISTRY*
The Indiana University students working on the senior class project (a PHP/MySQL application) have been on break, so the project has been on hold, but will be starting up again soon. Doug created a document that outlines the requirements for the senior project. Because of the timing, Doug wasn't able to get this document distributed to the CSI2 list for feedback. [AI] Doug will distribute the requirements document to the list. He mentioned there are some verbal agreements with the class, as well, that will not be reflected in the document.

*SHARED DARKNET*
There has been some past discussion about what would be necessary to capitalize on the work done by David Ripley at IU and start getting data into the shared darknet. UMass and others owe some data to REN-ISAC so they can start processing. [AI] Doug will organize a call to have a discussion with those who want to actively participate in getting data from their institution to the shared darknet. At a minimum, Chris at UMass and Brian at NYU will be involved.

Doug asked about providing some shared darknet data with researchers. He has a contact from a researcher at IU who would like such information as the attacker IP, source and destination, port and protocol. Some of this could be anonymized. We need to have a discussion about the pros and cons of sharing such information.

*DATA NORMALIZATION AND NOISE REDUCTION*
Nick is working on this. He reports seeing a lot of extraneous information ending up in URI's darknet, including LimeWire and third-party BitTorrents. Doug is seeing this, too, at REN-ISAC. [AI] Doug and Nick will talk off-line about filtering out such information. Doug will also share some of the chunks of data with Nick.

*RENOIR*
The group agreed that they would read Phil's document and provide comments no later than January 9, after which time the document will be posted on the CSI2 web site.

Phil reported a discussion from the NoX meeting about how to handle data retention issues. At what point does the data become less useful and when should it be deleted? It seems that a standard policy, such as deleting data after 30 days, will not always work. If the data is the relevant dialogue pertaining to a problem, it may need to be retained indefinitely. We need to develop the criteria for a complete data retention policy.

There was a discussion about several ways to approach this problem. Brian reported that NYU has segmented data into different categories and has different policies for each. For example, relevant text files might be kept indefinitely, while the rest is cleansed more frequently.

Kevin reported that Harvard moves tickets to an archive after 60 days. If no one accesses those tickets after 60 days, they are purged. He suggests sending a summary email once a month to those associated with the tickets, letting them know that, unless they respond, the ticket will be purged.

Another option is to place a flag on a ticket somehow denoting whether it should be deleted or not. That invites the problem of managing another process, sending emails to people letting them know that the tickets may be purged. Phil also mentioned that encrypted data might be deleted after a certain time, but perhaps open tickets (those that anyone can view) might not fall off for a long time, as they may tend to provide a history of an issue or problem.

Whatever the case, Brian suggested figuring out the goals of the policy (security? database growth?) before starting a draft. He also said the policy should state that something will happen (i.e. the data will be deleted) after a certain amount of time unless someone takes action.

[AI] Phil will summarize this discussion for the list, where further discussion can take place. He will update the public RENOIR document.

Phil discussed key storage and the encryption test mechanism he developed. When you first start the program, it creates a key pair and when you connect to the database, it uploads the public key. Your private key is also stored. When you request a new ticket, the server creates a new report key and encrypts it using your public key and the key of anyone you specify. Those are the people who will be able to access that ticket.

This started a discussion about whether the keys should be stored on the server side or the client side? It was generally agreed that this is a problem to be discussed with a white board.

Phil reported that there are four levels of security: encrypted level, limited access but unencrypted (probably be the default), open ticket (anyone can do whatever they want), then REN-ISAC tickets that are more informational in nature.

Chris pointed out that the call had now exceeded one hour and that he would schedule a lot of time on the next call to continue these discussions.

The next call is scheduled for Thursday, January 18, at 2:30 pm EST