Security Spotlight: An Interview with REN-ISAC Executive Director, Kim Milford

A recent post introduced the preparedness efforts that the Research and Education Network Information Sharing and Analysis Center (REN-ISAC) is taking to promote threat awareness, security coordination, and preparedness across the REN-ISAC and Higher Education community. In that, we touched on the importance of developing a threat-informed, risk-based approach to analysis, preparedness, and operations and how REN-ISAC continues to lead the way in operational security for their members and the broader network of Higher Education organizations. Kim Milford, who joined REN-ISAC in 2014 and serves as the Executive Director, has recently worked to broaden the scope of its efforts to create a more holistic sector approach to risk management. In this short interview, Kim shares some ideas on Higher Education security, the changing and challenging threat environment, and other salient points.

“The REN-ISAC mission is to aid and promote cybersecurity operational protection and response within the research and higher education (R&E) communities. The mission is conducted through private information sharing within a community of trusted representatives at member organizations…” (REN-ISAC mission excerpt)

Q: Kim, it is very exciting to see the great day-to-day work REN-ISAC is doing and your appreciation of the changes in the cyber, physical, and blended threat landscape. With that understanding, REN-ISAC is applying a broader, more holistic approach to Higher Education enterprise risk management. Can you share a little about what drove your new efforts?

AThe REN-ISAC spends a significant amount of time researching and analyzing threats to assist our member institutions in mitigation, either by applying technical controls our through risk transfer or risk avoidance.  We try to be watchful of current trends and how current threats might evolve in the future.  This perspective informs our analysis and our threat intelligence.  In looking at activities that have happened in the recent past, we see the exploitation of the hurricanes last year for cybercrime and the use of DDOS as a smokescreen for other criminal activity.  Our growing reliance on industrial control systems, which are truly part-physical, part-technical, also increases organizational risks and the need for a blended-threat strategy.  We can no longer completely separate the physical threats from cyberthreats. 

Research and education networking organizations, such as colleges and universities, represent a range of potential risks including physical, cyber, human, and financial, just to name a few.  Organizations must now take a comprehensive risk approach, and the assistance that REN-ISAC can provide them across threat landscapes gives them a leg up.

“we can no longer think of threats as isolated – physical and cyber threats are and will continue to be blended.” – REN-ISAC Executive Director, Kim Milford

Q: As you look at the host of security challenges today, are there any that are causing you the most concern, or that you think the community really needs to focus on?

A: Threats to individual credentials, namely the login ID plus password.  Although this isn’t a new threat or particularly exciting, it’s certainly pervasive.  In addition to the identity theft risks, we see exploited credentials available for sale, used for data exfiltration, and used to access to organizational resources, such as discounts on software.  Attacks against credentials are easy to perpetrate and extremely effective. Mitigation is challenging because it requires changing behaviors and implementing controls at the device. 

Another of today’s challenges is the need to change our thinking on threat defense.  Building intrusion prevention rules on signatures from the wild is and always will be a necessary line of defense.  However, it’s now relatively easy to overcome as cybercriminals change their IP addresses or URLs immediately.  We need to begin to think more about building intrusion prevention based on the online behaviors of the user community so that we can alert or block suspicious activities based on intel coming from inside the organization.

“Building and maintaining relationships are the core of the REN-ISAC Trust Community. Ties to other peer member institutions plus known and trusted external vendors and partners offers all members a wide breadth of knowledge.” (from “Our Trust Community”)

Q: Can you share some of the more common types of incidents members ask for REN-ISAC’s help with? Are there common cybersecurity issues that you’ve been able to observe among members?

A: We get a large range of questions coming from our member representatives.  Our community embodies a culture of information sharing, which means that the role of the REN-ISAC is often facilitative – we provide the tools that allow the member representatives to share with each other.  Posts about phishing campaigns dominate most recent questions from member representatives.  There’s also a good deal of discussion about applying appropriate controls for compliance.

Q: In our first blog post on REN-ISAC’s efforts we wrote that In 2018, REN-ISAC is leading a coordinated, multi-part exercise series around the United States to provide peer-to-peer forums where members and others from the Higher Education community can come together and share ideas on common challenges, lessons learned, best practices, potential gaps, and other relevant points relating to physical and cyber threats, preparedness, and response. Why this initiative?

A: A few trends seemed to dovetail at the same time that led to the REN-ISAC workshop and exercise initiative.  First, as we discussed above, we can no longer think of threats as isolated – physical and cyber threats are and will continue to be blended.  Secondly, interest in and the results from the Department of Homeland Security (DHS) National Table Top Exercise (NTTX) for Institutions of Higher Education points to a need for additional preparation and planning at research and education networking organizations.  We looked at what DHS was doing and thought about how we can work with them and supplement the annual event.  The NTTX is there to exercise response plans that already exist. Participants generally have an incident plan that the NTTX tests to ensure the incident plan is comprehensive enough in real world situation. The REN-ISAC workshop series is not to test plans that already exist; instead, the the intent is to educate and create best practices that participants can then put into planning. Our focus is on discussion and pollination of ideas.  To steal a phrase from Brett Zupan, our colleague at Gate 15, the REN-ISAC’s workshop series focuses on stimulation instead of simulation.

“Formed in 2003, the NCI today comprises 24 organizations. It is a coordinating body designed to maximize information flow across the private sector critical infrastructures and with government.[1]

Q: REN-ISAC is a small minority among the ISAC community and the National Council of ISACs membership in that you’re notbased in the Washington DC area. Can you explain how REN-ISAC is set-up and how you engage partnerships with your US Government colleagues?

A: I’m proud of the REN-ISAC’s legacy at Indiana University, which has historically committed to reducing risks and improving cybersecurity – not just at Indiana University but for the broader community of faculty, staff, students, researchers, parents, etc.  In the early 2000’s then-Vice President for Information Technology Michael McRobbie (now President at Indiana University) supported the idea of hosting the REN-ISAC at Indiana University.  The name “Research and Education Networking” was intentionally broad, not just universities and colleges, but organizations engaged in research, education, and the networking organizations that support both.  In establishing the REN-ISAC at Indiana University, President McRobbie ensured that the REN-ISAC will always have at its core a strategic understanding of the issues facing security professionals at research and education networking institutions.

In today’s fully-connected any-time, any-where world, engaging with partners at the other ISACs and the US Government is fairly easy. The REN-ISAC staff attend web-based meetings and seminars regularly, and we attend the National Council of ISACs meetings.  We participate in other discussions via email and instant messaging.  We use the FBI’s InfraGard, the DHS Homeland Security Information Network (HSIN), and various State of Indiana fora to stay tapped into current issues at the national and transnational level.  While this provides great coverage for most topics of discussion, there are sone events at which REN-ISAC was unable to provide coverage. These tend to be events or meetings dependent on schedules of national or foreign dignitaries that change rapidly or events with conflict with other significant research and education networking conferences.  When this happens, the REN-ISAC struggles to provide representation and a voice at the table for the research and education networking community.  As the REN-ISAC staff worked with and got to know several of the key players at Gate 15, we saw an opportunity to have them serve as a liaison in the Washington DC area.  Not only does Gate 15 have proximity, they have expertise in US Governmental initiatives and a knowledge of the processes and participants.  Since we joined forces with Gate 15 late in 2017, we’ve already reaped the benefits of the knowledge sharing and presence.

Q: If someone is reading this and thinks, “Hey, I want to get more involved!,” how do they reach out and connect with your team and learn more about REN-ISAC?

A: Our public web site is a good source of information:

Q: Any final thoughts you’d like to share?

A: The work of securing institutional resources is challenging.  One way to make it easier is by participating in an information sharing community like the REN-ISAC.

Kim, thank you so much for taking time to think through these questions and share your awesome insights and perspective. Whenever I describe Gate 15’s collaboration with REN-ISAC the word “excited” keeps coming up! We’re so excited to be part of your vision and efforts and where REN-ISAC – both the remarkable staff and the member community – and this 2018 exercise series are going! Thank you for your leadership and commitment to enhancing the security and resilience of the Higher Education community! Learn more about REN-ISAC below and from their website, and follow the REN-ISAC team on Twitter, @renisac!

About Kim Milford: “As executive director of REN-ISAC, Kim Milford works with members, partners, and sponsors to direct strategic initiatives for research and education networking institutions, providing services and information sharing that allows members to better defend local technical environments, and overseeing administration and operations. She joined Indiana University in 2007 and served in several different roles leading strategic IT initiatives, directing the work of the University Information Policy Office, and serving as the Chief Privacy Officer.” Read more.

About REN-ISAC: “The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) has two primary roles.  REN-ISAC also serves over 540 member institutions in Australia, New Zealand, Canada, the UK, and the United States.  For a modest annual fee, member institutions gain access to services and benefits to aid and promote cybersecurity operational protection and response within research and education communities. The second role is serving as the computer security incident response team (CSIRT) supporting the R&E community at-large, including non-members.  In this role, we work with trusted third parties to notify higher education institutions of infected hosts and suspicious network traffic. REN-ISAC also serves over 540 member institutions in Australia, New Zealand, Canada, the UK, and the United States.” Read more.

[1] National Council of ISACs website, accessed 01 Feb 2018

Kim Milford photo in interview, via Indiana University, IT News & Events, “REN-ISAC names Kim Milford first executive director,” 01 May 2014