2026 REN-ISAC Member Meeting | March 2–13

9:00: Anthony Newman, Executive Director, REN-ISAC

10:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Register for Session

Randy Marchany, Virginia Tech

In 2001, the SANS Institute created a document listing the top 10 security mistakes individuals make. In 2026, it's sad to say that only 2 of these root causes have been "fixed".  We present a list of attacks from the mid-1990s to present day and as we examine the root causes of these attacks, we are compelled to ask the question - "what have we, the cybersecurity industry, done to fix these root causes in the past 30 years?" The same threat vectors that existed in 1996 are still active in 2026. By creating a cybersecurity industry, have we removed any incentive to actually fix the root causes?  We'll discuss the evolution of 3rd party software vendor risk assessment and management. We present some suggestions on how to address this situation.

13:00: Anthony Newman, Executive Director, REN-ISAC

14:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Register for Session

Dr. Catherine J. Ullman, University at Buffalo

Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability. But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain firsthand experience into this perspective than immersion in the offensive security space. In this talk we'll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there's more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.

Register for session 

Doug Couch, CANARIE (CanSSOC)

Abstract available on Member's Wiki.

Register for session

18:00: Anthony Newman, Executive Director, REN-ISAC

19:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Register for session

Brian Epstein, Institute for Advanced Study 

This talk reviews the history of Cryptography leading up to the necessity of Post-Quantum Cryptography.  It reviews where we are and what we need to do going forward as practitioners.  It will also review a more immediate, but somewhat mundane, risk associated with certificate automation.  Certificate lifetimes are being reduced, which requires us to deploy them more frequently.  Certificate automation is the only way forward, but it requires significant effort and ongoing auditing for our teams. 

Register for Session

Vishal Singh Bhardvaj, OmniSOC 

Why this matters now: Rapid adoption of Docker/Kubernetes is accelerating digital transformation, but it also expands attack surface and raises the stakes for securing container environments. 

Key container security challenges: Containers introduce distinct risks such as vulnerable images, runtime threats, misconfigurations, weak access controls, and complex network segmentation. 

What attendees will learn: Container security fundamentals and best practices (e.g., image scanning, lifecycle security, segmentation) plus practical approaches to deploying honeypots across containers, VMs, and edge devices (e.g., Raspberry Pi). 

Real-world value: Case studies and deployment lessons—including common attack patterns—and how honeypot telemetry can directly inform security policies and incident response. 

Integrated defense strategy: Methods for combining honeypots with container security controls to build adaptive, proactive defenses in cloud-native/hybrid environments. 

Demo & impact: Live demonstrations (including a simulated container escape) to show consequences of weak security and reinforce practical mitigation steps.

Register for Session 

Register for Session

Open Spaces give attendees the opportunity to talk about anything they’d like in small break out groups. You might suggest a topic you want to learn about, or one you feel like you can help others with.

Register for Session

Register for Session

Tracey Potter, The University of Tampa

Abstract on the Member's Wiki.

Register for Session

Andrew Januszak, Lehigh University; Tomomi Imamura, University of Wisconsin; Forest Crowley, Lehigh University; Jamie Glass, University of Wisconsin; Michael Bryant, Clemson University

Abstract on the Member's Wiki.

Register for Session

Jason Garay, CISA

Abstract on the Member's Wiki.

Open Spaces give attendees the opportunity to talk about anything they’d like in small break out groups. You might suggest a topic you want to learn about, or one you feel like you can help others with.

Register for Session

The 2026 REN-ISAC Member Meeting will feature a Capture the Flag (CTF) interactive session hosted by the Elastic team. The CTF is on Friday, March 6 from 1-4 PM ET (18:00-21:00 UTC). Registration for the CTF will close on Friday, February 27 at 8 AM ET (13:00 UTC). Make sure to register with your institutional email address to receive details about the event. Join us for some friendly competition and lots of fun! CTF is open to the public. 

Register for Session

Jordan Barnartt, University of Waterloo 

The University of Waterloo has implemented an Endpoint Detection and Response (EDR) solution for 11,000 endpoints, dramatically improving threat visibility -- and just as dramatically increasing alert volume for our 4-person Security Operations Centre (SOC). 
 
I will demonstrate how we triage and investigate EDR alerts at scale, efficiently separating real incidents from false positives.  I will walk through how we use Security Orchestration, Automation, and Response (SOAR) tools to standardize investigation steps, use multiple threat intel and internal context sources, and reach decisions more quickly.  You'll leave with a practical approach to turning existing data into better decisions, with fewer analyst-hours spent. 

Register for Session

Will Drake, Indiana University; Tim Daniel, Indiana University 

New regulatory requirements and federal sponsor expectations, including cybersecurity expectations under NSPM-33, are likely to greatly expand the scope of cybersecurity and compliance across research institutions. Meeting these expectations effectively, without adding unnecessary burden on researchers, will take deliberate planning and an approach that emphasizes researcher support and institutionally-provided, compliant technical resources. This session will provide an update on emerging expectations, what institutions should expect next, and practical strategies for addressing these changes. 

Register for Session

Michael Bryant, Clemson University

Abstract on the Members Wiki.

Register for Session

Jer Kong, University of Virginia

Abstract on the Member's Wiki.

Register for Session

Nick Lewis, Internet2; Isaac Galvan, EDUCAUSE; Charles Conner-Rondot, REN-ISAC

Abstract on the Member's Wiki.

Register for Session

Ian Washburn, University of Notre Dame 

Federal cybersecurity policy is undergoing a fundamental shift—from one-way guidance and compliance expectations to a shared-responsibility model built on operational partnership. As initiatives like the Cybersecurity Centers of Excellence expand, higher education is emerging as a critical bridge between federal intent, private-sector capability, and community-level cyber resilience. Drawing on insights from national policy efforts, including the Redwood Project’s National Cyber Resilience Working Group, this presentation explores how colleges and universities can move beyond compliance to become trusted cyber anchors for their regions. Attendees will gain a practical understanding of evolving federal policy, new participation opportunities, and the role higher education must play in shaping cybersecurity outcomes that work in the real world. 

Register for Session

Rob Carlsen, OmniSOC; Ian Washburn, University of Notre Dame

Abstract on Members Wiki.

Register for Session

Alpha Diallo, OmniSOC 

Protecting higher education and research institutions requires a different approach than any other environment. OmniSOC provides a collaborative model for cyber defense, offering 24/7 threat detection and response specifically designed for the complexities of academic and research-heavy environments. OmniSOC collaborates with higher education and research communities to strengthen security and safeguard their critical data. 

Register for Session

Kyle Enlow, REN-ISAC

Abstract on Memember's Wiki.

Register for Session

Register for Session

Louw Smith, Harvard University

Abstract on the Member's Wiki.

Register for Session

Richard Belisle, MSU Denver 

If terms like Kerberoasting or unconstrained delegation sound familiar but you’re not quite sure what they mean, why they matter, or you’re simply curious about Active Directory security, this presentation is for you. Active Directory remains a cornerstone of identity management. It’s everywhere, notoriously challenging to evaluate, and a prime target for threat actors. 

In this session, we’ll walk through how AD authentication actually works, break down common attack techniques, show you how to spot them in your own environment, and highlight the practical controls and best practices that truly strengthen your domain’s defenses. 

Register for Session

Shane Albright, REN-ISAC; Emily Gladstone Cole, University of California, Berkeley; Christopher Clausen, National Center for Supercomputing Applications; Bartholomew Mallio, The Rockefeller University

Abstract on Member's Wiki.

Register for Session

Sarah Bigham, REN-ISAC 

Ransomware attacks on higher education institutions are increasing exponentially with some studies showing a 70% surge since 2022. The threat is significant with institutions facing the challenge of protecting sensitive data and ensuring operational continuity all while facing shrinking budgets. Key trends being observed include increased attack rates, sophistication of attacks, increased recovery costs, and an increase in ransom payments to name a few. 

In this presentation, I will discuss the evolution of attacks, adversary trends, the pros and cons of paying the ransom, and methods for detecting attacks. 

Register for Session

Joseph Karam, Princeton University; Steve Fullerton, Clemson University; Nicolas Colbert, Emory University 

As higher education institutions increasingly rely on complex IT ecosystems, monitoring service maturity becomes critical for operational resilience and strategic growth. This expert panel will explore frameworks and best practices for assessing and advancing monitoring capabilities across diverse campus environments. We will discuss how institutions can align monitoring strategies with organizational goals, improve visibility into service health, and leverage automation in forecasting future trends. Panelists will share real-world examples of overcoming challenges in scaling monitoring maturity while balancing resource constraints. Attendees will gain actionable insights to strengthen their institution’s monitoring posture and support long-term service excellence. 

Register for Session

Steven Bochniewicz, University of Maryland College Park

Abstract on the Member's Wiki.

Register for Session

Helen Patton, CISCO 

Many security concerns haven't changed in years. But there are topics that security teams should be paying close attention to now, in new ways. In this session we will discuss four security things that should be on everyone's radar, and how to address them. 

Register for Session