Re: Membership in REN-ISAC?

[Wes Young <wcyoung () BUFFALO EDU>]

http://www.ren-isac.net/docs/information_sharing_policy.html

Trust is all about perception. You must decide if it's worth
publishing vs if people will still trust sending you info should you
publish.

if you own 100% of the data-set; then i'd imagine you can do what you
want with it. If you've correlated data combined with/from a
"restricted" data-set; you obviously own the resulting data-set; the
question is; what you do with that data-set. Given the example you're
citing; i'd say "yes; sounds like a potential conflict of interest;
and i'd tread softly" (see: perception reference above). So the
question becomes "is it worth publishing vs not having
access?" (which; to me, at that point, is a simple risk equation).
What does "publishing data" buy you vs "a large community of trusted
peers" ?

of course; i am not an authoritative source on this; nor do i pretend
to be in real life (ok; maybe i pretend to be sometimes, but mostly
speaking as a peer and practitioner). most of these are best handed
case by case and asking your peers (+RI on a case by case basis until
you're comfortable). Right now it's more geared towards "ops" data
(protection; mitigation; etc). Until that changes; i'd be careful what
you publish and just make sure you're not going to violate any of your
peers trust. [It's the one great tool we have against the bad-guys;
like it or hate it].

I'd encourage you to read this policy (it's way long; but a thinking
went into it). The ideas behind it aren't to inhibit data-sharing; but
actually to enable it. The problems we've had in the past as a
security community is setting expectation such that a trust fabric can
be created; once expectations are set; you'd be amazed how much people
are willing to share their collective experiences and data. Trust is
torn down when expectations aren't met; or they have been violated (or
even perceived to have been violated) in some way.

... and one you get the hang of it [the community]; it's not that bad.
You get a lot of useful stuff information in return; the benefit far
out-weighs the 'restrictions'.

On Jan 4, 2010, at 10:20 AM, Matthew Wollenweber wrote:

> How restricted/reasonable is REN-ISAC  in terms of information
> sharing? Obviously you can't publish their restricted data, but I
> imagine they have a large collection of events that likely overlap
> with other data sets. If I were to publish results from my own data
> would and if I were a member of REN-ISAC would I have to check their
> database before publication?

--
Wes
CSI2 Chair
SES Project Architect
http://claimid.com/wesyoung

Attachment: smime.p7s
Description: