my recent set of talks have evolved from "what the technology looks like" and more into "what did your journey look like?" along with "how much did it cost?"

so i decided to conjure up a public history about where SES came from, how CIF evolved out of it, and the massive amounts of duct-tape it took along the way.

many people and groups are responsible for the success of this adventure. this written history is meant to describe our story as a way to thank all those in the higher education security community that helped to build what we have today.

in no small part, the people involved with higher-ed security operations, both in terms of the UNISOG community as well as the evolution into the REN-ISAC community have invested a great deal in making this successful. no where else could this sort of work have been done.

  • UNISOG for setting the stage, showing how information sharing should happen, well before "it was cool"
  • CSI2, the Department of Justice, the REN-ISAC, Indiana University for their stewardship[1] of our initial work and guidance in bootstrapping of this work
  • the REN-ISAC community for funding the initial SESv2 work
  • the REN-ISAC community and the National Science Foundation for bootstrapping and funding the SESv3 work

the history of the Security Event System, and the Collective Intelligence Framework.



  • unisog botnet tracker developed as a way to share botnet threat intelligence
  • initial snort rules wget script created, as well as Snort::Rules CPAN module
  • the RENIOR idea develops in parallel
  • REN-ISAC implements information sharing for operational protection and response using CSV files and wget
  • REN-ISAC and UNISOG communities merge into the REN in an effort to consolidate resources and activities



  • SESv1 beta deployed in the RI community


  • SESv1 production is deployed in the RI community
  • initial "collective intelligence framework" is prototyped as a way to bring other intelligence sources into SES
  • newly instated membership fee structure funds wes full time post-grant to continue SESv2 development


  • SESv2 beta1 is deployed to subsection of RI community
  • SESv3 grant proposed to NSF
  • SESv3 grant awarded to RI for the development of SESv3
  • SESv3 grant work commences in parallel to existing SESv2 (CIF v0/v1) work


  • SESv2 (CIFv0) deployed to RI community
  • SESv2/SESv3 road-show begins


  • SESv2.1 (CIFv1) deployed to the REN-ISAC community

Stewardship Summary

the REN-ISAC community has contributed substantially to the inception, success and sustainability of this project. the character of that support has permitted the project to grow beyond the borders of our community and past political and cultural boundaries - something that other efforts at automated information sharing have failed to accomplish..

  • SESv1: CSI2, the REN-ISAC community

    • Department of Justice Grant, $120,000 over one year
    • indirects of ~$27,000 in "facilities and adminstration" overhead
    • CSI2/the REN-ISAC brokered the grant, provided guidance
    • REN-ISAC community piloted, productionize the project
  • SESv2: the REN-ISAC community

    • Derived from REN-ISAC community membership fees
    • ~$200,000 (wes’s two year salary, inc benefits)
    • the REN-ISAC community piloted and productionize the project
  • SESv3: the REN-ISAC community

    • National Science Foundation Grant $800,000 over three years
    • indirects of ~$250,000 in "facilities and adminstration" overhead