Internet Service Provider Information Sharing

1
Internet Service Provider Information Sharing
Analysis Center

• (ISP-ISAC)
• Looking For Feedback and Participation

2
ISACs Background

• An Information Sharing and Analysis Center (ISAC)
  is loosely defined in President Clintons 1998
  Presidential Decision Directive 63 (PDD-63) as a
  mechanism for gathering, analyzing,
  appropriately sanitizing and disseminating
  private sector information for sharing
  important information about vulnerabilities,
  threats, intrusions and anomalies

3
ISACs Background continued

• ISACs were suggested by the Presidents Committee
  on Critical Infrastructure Protection (PCCIP) in
  their October 1997 report CRITICAL FOUNDATIONS
  Thinking Differently
• The basic idea is to share, correlate, and
  analyze information in order to protect critical
  infrastructure
• ISACs currently exist or are planned for
  financial services, telecommunications,
  transportation, and the power utilities

4
ISP-ISAC Proposal

• IOPS, together with a few other ISPs and service
  providers, thought it would be good for the
  industry to create an ISP-ISAC to solve problems
  that cross the boundaries of economics and
  competition the design would allow for
  participation by a wide range of service
  providers
• The proposed goal for this ISAC is to help
  coordinate the resolution of Internet problems
  and to help protect the Internet

5
ISP-ISAC Proposal continued

• This goal will be achieved through
• (a) Communication by creating and using a
  framework in which information about incidents
  can be shared by ISPs in real-time, in order to
  mitigate the impact and duration of these
  incidents

6
ISP-ISAC Proposal continued

• (b) Analysis by creating and using ISP-ISAC
  databases of both active events and informational
  reports of vulnerabilities, configuration issues,
  etc. in order to establish best practices,
  identify common hardware software problems, and
  otherwise forewarn against possible future
  problems

7
ISP-ISAC Operating Plan

• The ISAC collects data through reports about
  outages, incidents, concerns, and advisories
  submitted by members or collected from other
  sources
• The ISAC manages tickets for active issues
  (opening, notification, resolution, closure)
• Members are alerted to both current incidents and
  other significant data

8
ISP-ISAC Operating Plan cont

• The ISAC maintains databases of past issues and
  important network-related information
• Analysis and correlation are performed to
  determine severity and possible relation to other
  data reports

9
ISP-ISAC Organization Plan

• The ISAC will be a Limited Liability Company or a
  Not-For-Profit
• A support contractor will be hired who will
  operate and maintain a 7x24 system that meets the
  requirements and who will handle the day-to-day
  details
• Budgetary estimate of annual membership fee (to
  cover costs) 5000-7000

10
ISP-ISAC Lessons Learned from Previous
Attempts

• Nothing is perfect
• Nothing will work for everyone
• Getting Operators to do this manually is both
  difficult and cruel automation is key
• No one wants to give up any information without
  getting something first
• No one trusts anyone, so a non-ISP 3rd party
  vendor is crucial
• This function MUST be someones job (or it wont
  get done)

11
ISP-ISAC Proposed Requirements

• Possible multiple databases (Active Issues,
  Historical Issues, Informational database)
• Multiple input types (web, formatted email) for
  initiating reports
• Multiple notification methods (pager, cell,
  email, etc.) for notification, set by each ISP
• Adjustable priorities with appropriate,
  adjustable notification methods (i.e. High
  priority pager vs. Informational email only)

12
ISP-ISAC Requirements cont

• Active issues historical databases containing
  (at a minimum) unique tracking code date
  time/time zone geographical area equipment
  type software version type of incident brief
  description of incident subsequent updates
  attached to incident priority reporting ISP
  affected ISP(s) reports able to be anonymized
• Informational database with security information
  such as threats, vulnerabilities, config issues,
  outside reports, etc.

13
ISP-ISAC Requirements cont

• 99.98 vendor system availability for databases
• Multi-homed NOCs
• Disaster recovery capability
• Enough personnel computing power for 7
  simultaneous incidents over 2000 simultaneous
  recipients of notification (initially scaling
  required)
• Searchable historical data
• Automation and ease of use

14
ISP-ISAC Benefits

• What makes the ISP-ISAC useful?
• Participation may help avoid regulation
• Reports (outages or security) that are specific
  and timely would greatly assist with rapid
  trouble-shooting and problem solving
• Pre-sorted ISP-specific (or network-specific)
  news reports, exploits, security vulnerabilities,
  and general information for dissemination to
  members are more complete than what an individual
  might find, saving individual sorting
  distribution time

15
ISP-ISAC Benefits continued

• MORE on what makes the ISP-ISAC useful
• Collected outage data from other sources (peering
  point vendors for the MAEs, NAPs, etc., mailing
  lists like NANOG inet-access, circuit vendors,
  performance monitoring companies, other ISACs,
  etc.) disseminated to the members provides a
  centralized source of information (and again
  saves sorting time)

16
ISP-ISAC Benefits continued

• MORE on what makes the ISP-ISAC useful
• Improved communication between ISPs improves
  repair times and therefore the publics
  experience of the Internet
• Having the capability to reach out to a
  significant number of ISPs all at once would be
  helpful during large-scale issues, as would
  assistance in coordinating the handling of such
  incidents (creating a central ticket,
  coordinating information, sponsoring a bridge
  call, etc.)

17
ISP-ISAC Benefits continued

• MORE on what makes the ISP-ISAC useful
• Forums for secure real-time or near-time
  communication would increase the speed of
  diagnosis
• Regular conference calls for general discussion
• Facility for real-time response and discussion
  (bulletin board, private chat rooms, or voice
  bridge) by the Operators themselves
• ISAC vendor-provided language translation skills
  speed up tracking down attacks/routing mistakes

18
ISP-ISAC Benefits continued

• MORE on what makes the ISP-ISAC useful
• Quick reference utilities like an
  access-controlled web page with color-coded live
  issues (culled from vendors, mailing lists,
  outage reports, and chat rooms/bulletin board)
  for rapid assessment of issues impacting any ISP
• Convenience of having one place for locating an
  accurate, well-maintained up-to-date phone list
  of ISP NOCs

19
ISP-ISAC Why I Am Here

• We need your help

20
ISP-ISAC Pending Issues

• There are many issues which could use some rough
  consensus from the community
• With cost recovery (not profit) in mind, how do
  we make it affordable to as many ISPs as possible
  while still being able to pay the vendor?
  (Should larger ISPs pay more? If so, why?)
• Membership requirements Who should participate?
  (Should there be a cut-off? I.e. if you dont
  have a 24x7 NOC, you dont get to play?)

21
ISP-ISAC Pending Issues cont

• More issues
• What qualifies as an ISP?
• Should vendors be allowed to participate?
• Whats an outage? (Meaning, what should be
  reported to the ISAC?)
• Should there be minimum participation
  requirements?
• How do we establish trust?

22
ISP-ISAC Govt Involvement

• MOST FAQ Is the U.S. Government involved?
  ANSWER No
• Currently we are not planning on sending reports
  to the U.S. government (or any other state or
  country entity)
• We may consider it at some point in the future,
  but the members control the ISAC and make the
  rules YOU decide

23
ISP-ISAC Current Events

• Were not done yet! We just wanted to firm up
  the concept before talking to more companies
• IOPS (and friends) have collected sales quotes
  from a couple of possible ISAC Operators and we
  have talked with other ISACs (plus one or two
  industry experts) on infrastructure protection
  and problem coordination
• Im here to discuss the idea, take feedback,
  recruit volunteers - we want more people to
  assist in the final formation of the ISP-ISAC

24
ISP-ISAC Next Steps

• If you want to participate (please do not join
  just to be a silent listener) send mail to
• isp-isac-d-request_at_iops.org

25
ISP-ISAC Reaching Me

• If you want to pass along feedback, contact me
• Kelly J. Cooper
• Security Engineer
• Genuity
• 3 Van de Graaff Drive
• Burlington, MA 01803
• kjc_at_genuity.com or kcooper_at_genuity.com