Tuesday, June 22
1 - 2:30 PM ET—REN-ISAC Welcome / Year in Review (Members Only)
Kim Milford, Executive Director
Todd Herring, Business Operations Director
Joseph Potchanant, Member Services and Support Director
Krysten Stevens, Technical Director
The REN-ISAC Directors will open this year’s virtual REN-ISAC Member Meeting with a welcome, review of the organization’s activities over the past year, and a report out from each team.
Wednesday, June 23
1 - 2PM ET—Bro/Zeek Alerts: What Do They All Mean? (Open to all Registrants)
Bob Heren, Senior IT Security Analyst, University of Illinois at Urbana-Champaign
Bro/Zeek alerts can be powerful tools to catch anomalies before they become a problem, but it can be hard to know which ones are important and what they even mean. This presentation will endeavor to educate you on which ones to watch and what to do about them.
3 - 4 PM ET—Cyber Hygiene for Your Growing Attack Surface - Measuring and Managing Your Posture and Exposure (Open to all Registrants)
Genevieve Marquardt, IT Specialist, Cybersecurity and Infrastructure Security Agency (CISA)
Paul Drake, Information Security Professional, University of Notre Dame
Vicki Holzknecht, Cyber Security Analyst, Southwestern Community College
Krysten Stevens, Technical Director, REN-ISAC
The Cybersecurity & Infrastructure Security Agency (CISA), University of Notre Dame, Southwestern Community College, and REN-ISAC will chat about cyber security challenges currently facing the EDU in today's cyber climate and some simple (and free!) options that are available to help education organizations monitor their cybersecurity posture. Through these discussions you can discover simple steps you can take to help augment your organization's cybersecurity awareness as you work to mitigate risks to your public attack surface. Learn more about how to transform host, service, and vulnerability data into actionable, shareable information for measuring and reducing risk.
Thursday, June 24
1 - 2 PM ET—Federated Security: Raising the Bar Across 1000 Organizations (Open to all Registrants)
Shannon Roddy, Security Lead, Internet2
Albert Wu, InCommon Federation Service Manager, Internet2
This session will give an update on several InCommon activities which are raising the bar on federated identity and security. We will discuss topics such as SIRTFI, Baseline Expectations for SAML identity and service providers, and TLS security requirements. We will also discuss new NIH requirements for federated identities and how InCommon has been working to assist and aid R&E in meeting these. We will also discuss the recent SolarWinds incident and how it relates to SAML security.
3 - 4 PM ET—We Feel Your Pain; Partnering with Your Peers (Members Only)
Susan Coleman, Cybersecurity Peer Assessment Program Manager, REN-ISAC
Merri Beth Lavagnino, Executive Director of Compliance and Privacy, Indiana Health Plans
Henry (Hal) Stone, Chief Information Security Officer, Clemson University
The REN-ISAC Cybersecurity Peer Assessment Service (PAS) utilizes assessors with expertise in cybersecurity in higher education to objectively evaluate an institution's cybersecurity posture, but it is not only the assessed institution that benefits from engagements.
Peer Assessors gain valuable insight into best practices, approaches to staffing, and security initiatives that can impact their perspective toward their home institution. Join PAS Leadership and a panel of Peer Assessors to discuss lessons learned from the field and how their experiences enrich their cybersecurity knowledge and network.
Tuesday, June 29
1 - 2 PM ET—CanSSOC Threat Feed: Protection, Detection, and Intelligence Sharing (Open to All Registrants)
Axel Schulz, Senior Security Analyst, CanSSOC / University of Toronto
Carl Chan, Senior Security Information and Events Monitoring Administrator, University of Toronto
Martin Vézina, IT Security Architect, CanSSOC / McGill University
In today's security landscape threat intelligence (TI) can help improve the security posture of your organization at many levels. Enter the CanSSOC Threat Feed service, a platform that provides sector-specific threat intelligence and specialized feeds to address current educational specific threats. Leveraging TI from various sources (governments, public, private sector, educational sector, and OSINT), CanSSOC analysts aggregate and curate essential TI data into the Threat Feed service.
In this presentation we will investigate how the Threat Feed service can be leveraged to protect your organization and provide examples of how partner institutions have leveraged the feeds at various levels of their organizations to protect, detect, and enable intelligence sharing.
It will explore how Threat Intelligence and Threat Feed services are leveraged to deal with the ever-present and ever-changing information security landscape, how Threat Intelligence is leveraged for detection and response, and how Threat Feed is used to within the firewall infrastructure to block and prevent attacks.
3 - 4 PM ET—The NSF Cybersecurity Center of Excellence: A Resource for Research Security (Open to All Registrants)
Von Welch, Trusted CI PI and Director, Indiana University
Jim Basney, Principal Research Scientist, University of Illinois / NCSA
Trusted CI, the NSF Cybersecurity Center of Excellence, is now entering its 10th year of serving the research and education community. This presentation will share Trusted CI’s experience with engaging with researchers and implementing cybersecurity programs that balance research productivity and risk mitigation. It will cover resources that Trusted CI offers to the community, as well as other research cybersecurity resources that are available, and how institutions can collaborate with Trusted CI on their particular research challenges.
4:30 - 5:30 PM ET—Ransom but No Ware: Walking through the Accellion Attack University of Colorado (Members Only/No Recording)
Brad Judy, Information Security Officer, University of Colorado
Wednesday, June 30
1 - 2 PM ET—Web Security Birds of a Feather (Open to Members Only/No Recording)
Adam Arrowood, Lead Information Security Engineer, Georgia Tech
Join us for a discussion regarding web application and web server security practices. Let's talk WAFs and IDS/IPS tools, vulnerability management, incident response, developer training, and more. No web security talk these days is complete without mentioning the OWASP Top Ten or bad bots or API protection, so those are on the agenda too.
3 - 4 PM ET—Security Automation at OSU: Log Analysis -> Active Response (Open to All Registrants)
Chris Hartley, Lead Security Engineer, The Ohio State University
While SOAR/automation has become a "hot" term in infosec (again) lately, OSU has been using some form of automation in our security program since ~1998. Whereas the top SOAR tools use directed graph configurations that mostly "enrich" events to guide analysts, we are on version (?) of our automation system that suspends users, controls IDM flags on the accounts, blocks hosts, send pages, notifications, etc. Part of our goal is just to be more frustrating than other targets. Instead of a directed edge graph, we use a super simple Domain-Specific Language as well as Splunk's SPL to determine what actions to take. This presentation is about sharing our perspective, how we built what we have, and where we're going next.
Thursday, July 1
1 - 2 PM ET—"Low-Regret" Methodology & SLTT IOC Automation Pilot Results (Open to All Registrants)
Charles Frick, Senior Staff, Johns Hopkins University Applied Physics Laboratory
A new automated data feed that helps defend state and local government computer systems from cyberattacks and rapidly blocks threats across state lines reduced cyber defense time from some three days to less than three minutes in a successful pilot program across four states.
The one-year trial, “Indicators of Compromise Automation Pilot,” was funded by a grant from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and led by the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, in partnership with the four states and the CISA-funded MS-ISAC, a key U.S. cybersecurity resource for state, local, tribal and territorial (SLTT) governments.
During the pilot, one participating state received threat information fast enough to preemptively block and protect its network from 270,000 attacks on the day the source was first observed, and from half a million attacks over multiple days.
The new automated feed is “low regret,” meaning a government agency can allow the automatic blocking of an indicator of compromise with confidence that it poses a malicious threat and near certainty that the automated block will not disrupt operations.
This talk will discuss the pilot effort, results, lessons learned, and how organizations can apply a low-regret methodology to make their data more actionable for cyberdefense.
3 - 4 PM ET—REN-ISAC Blended Threat Workshop 101 (Open to All Registrants)
Sarah Bigham, Lead Security Analyst, REN-ISAC
Brett Zupan, Risk Analyst & DC Liaison, Gate 15
During this session, we will be giving an overview of the Blended Threat Workshop concept and program results. We will discuss prior year's scenarios and lessons learned, as well as the next steps for the program. The second half of the session will be an interactive discussion with attendees allowing them to ask questions and provide suggestions and/or feedback for future development of the Blended Threat Workshop series.