About REN-ISAC: Basic Functions and History
Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC is an integral part of higher education's strategy to improve network security through information collection, analysis and dissemination, early warning, and response -- specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.
The REN-ISAC receives, analyzes and acts on operational, threat, warning and actual attack information derived from network instrumentation and information sharing relationships. Instrumentation data include netflow, router ACL counters, darknet monitoring, and Global Network Operations Center operational monitoring systems. Information sharing relationships are established with other ISACs, DHS/US-CERT, private network security collaborations, network and security engineers on national R&E network backbones, and the REN-ISAC members.
Analysis and information sharing is performed related to security-related events such as DDoS attacks, virus and worm activity, and systematic network vulnerabilities scanning; unscheduled outages and degraded operations; and other anomalies that constitute or may constitute a serious threat to the networks and associated systems of the REN-ISAC membership or national cyberinfrastructure.
The REN-ISAC leverages resources of the Global Network Operations Center and Advanced Network Management Lab at Indiana University. Through its 24x7 network management activity, the Global NOC has a unique view of national and international R&E networks, including Abilene, National LambdaRail, and TransPAC. The Advanced Network Management Lab is engaged in advanced network security research and development.
The Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC), as part of the national ISAC structure, was formalized in D.C. on February 21, 2003.
The development of ISACs was encouraged by Presidential Decision Directive (Clinton PDD 63: Protecting America's Critical Infrastructures), to serve as the "mechanism for gathering of vulnerabilities, threats, intrusions, and anomalies" information from participating institutions, analyzing and developing a recommended response, and disseminating information so that the member institutions can better defend and secure their technology environment and operations. From Executive Order on Critical Infrastructure Protection in the Information Age (October 16, 2001): "The President shall designate a Chair and Vice Chair to enhance the partnership of the public and private sectors in protecting information systems for critical infrastructures and provide reports on this issue to the President, as appropriate; and propose and foster improved cooperation among the ISACS, the NIPC, and other federal government entities."
Subsequently, The National Strategy to Secure Cyberspace (February 2003) states:
"The National Cyberspace Security Response System is a public-private architecture, coordinated by the Department of Homeland Security, for analyzing and warning; managing incidents of national significance; promoting continuity in government systems and private sector infrastructures; and increasing information sharing across and between organizations to improve cyberspace security. The National Cyberspace Security Response System will include governmental entities and nongovernmental entities, such as private sector information sharing and analysis centers (ISACs)."
The Department of Homeland Security Information Analysis and Infrastructure Protection Directorate coordinates government relationship to the private-sector formal ISAC structure. ISACs represent various sectors of the economy, including among others Energy, Transportation, Technology, and state and local governments. Indiana University signed an agreement with the NIPC on February 21, 2003, to associate the REN-ISAC with this formal structure.
Like industry-specific ISACs, the REN-ISAC acts as the security information collection, analysis, dissemination, and early-warning organization specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks. With various information inputs at its disposal, the REN-ISAC has a unique aggregate view of the current and near-future security situation in the higher education community.
Information is collected from instrumentation on network backbones, incident reports from connected providers and campuses, and interactions with government and law enforcement agencies, commercial technology providers, and other industry ISACs. With these inputs and with appropriate synthesis and analytic tools, along with access to experienced incident response staff, the REN-ISAC is distinctively positioned to provide early warning about imminent threats, along with applicable response or self-defense advice, to the higher education and research networking community.