2026 REN-ISAC Member Meeting | March 2–12

Starting in 2026, the REN-ISAC Member Meeting (RIMM) and OmniSOC Con will be held jointly as REN-ISAC Member Meeting. The communities will join a two-week virtual program dedicated to cybersecurity in higher education and research. The combined meeting builds on both events’ traditions of peer learning, open exchange, and practical collaboration.

With OmniSOC now part of REN-ISAC, this first joint meeting reflects a more connected community—linking sector-wide coordination with real-time operational expertise. Together, our members gain a stronger foundation for collective defense, shared intelligence, and community support to advance cybersecurity across higher education and research.

The program and registration details will be shared soon. Please mark your calendar for March 2 – 12, 2026.

Register Now: 2026 REN-ISAC Member Meeting

The time is finally here! General event registration for the 2026 REN-ISAC Member Meeting is open.

Please note, general event registration is required to attend. As we get closer to RIMM, you will have the opportunity to review the full conference schedule and select the individual sessions that interest you.

RIMM 2026 Schedule of Events

Use the schedule below to register for individual RIMM sessions. Sessions marked (PB) are open to the public. Sessions marked (MO) are for REN-ISAC members only and require logging in to the Member's Wiki to access the zoom registrations link.

All sessions are to be recorded and archived on the Members Wiki, except where noted.

Monday, March 2, 2026

9:00: Anthony Newman, Executive Director, REN-ISAC

10:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Randy Marchany, Virginia Tech

In 2001, the SANS Institute created a document listing the top 10 security mistakes individuals make. In 2026, it's sad to say that only 2 of these root causes have been "fixed". We present a list of attacks from the mid-1990s to present day and as we examine the root causes of these attacks, we are compelled to ask the question - "what have we, the cybersecurity industry, done to fix these root causes in the past 30 years?" The same threat vectors that existed in 1996 are still active in 2026. By creating a cybersecurity industry, have we removed any incentive to actually fix the root causes? We'll discuss the evolution of 3rd party software vendor risk assessment and management. We present some suggestions on how to address this situation.

Tuesday, March 3, 2026

13:00: Anthony Newman, Executive Director, REN-ISAC

14:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Dr. Catherine J. Ullman, University at Buffalo

Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability. But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain firsthand experience into this perspective than immersion in the offensive security space. In this talk we'll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there's more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.

Doug Couch, CANARIE (CanSSOC)

Abstract available on Member's Wiki.

18:00: Anthony Newman, Executive Director, REN-ISAC

19:00: Chip Conner-Rondot, Chief of Engagement; Josh Drake, Director of SOC and Security Services; Todd Herring, Director of Business Operations; Marina Krenz, Director of Technical Operations

Open Spaces give attendees the opportunity to talk about anything they’d like in small break out groups. You might suggest a topic you want to learn about, or one you feel like you can help others with.

Wednesday, March 4, 2026

Brian Epstein, Institute for Advanced Study

This talk reviews the history of Cryptography leading up to the necessity of Post-Quantum Cryptography. It reviews where we are and what we need to do going forward as practitioners. It will also review a more immediate, but somewhat mundane, risk associated with certificate automation. Certificate lifetimes are being reduced, which requires us to deploy them more frequently. Certificate automation is the only way forward, but it requires significant effort and ongoing auditing for our teams.

Vishal Singh Bhardvaj, OmniSOC

Why this matters now: Rapid adoption of Docker/Kubernetes is accelerating digital transformation, but it also expands attack surface and raises the stakes for securing container environments.

Key container security challenges: Containers introduce distinct risks such as vulnerable images, runtime threats, misconfigurations, weak access controls, and complex network segmentation.

What attendees will learn: Container security fundamentals and best practices (e.g., image scanning, lifecycle security, segmentation) plus practical approaches to deploying honeypots across containers, VMs, and edge devices (e.g., Raspberry Pi).

Real-world value: Case studies and deployment lessons—including common attack patterns—and how honeypot telemetry can directly inform security policies and incident response.

Integrated defense strategy: Methods for combining honeypots with container security controls to build adaptive, proactive defenses in cloud-native/hybrid environments.

Demo & impact: Live demonstrations (including a simulated container escape) to show consequences of weak security and reinforce practical mitigation steps.

Register for Session

Kendra Ketchum, CIO at Indiana University; Upendra Mardikar, Chief Information Security Officer at TIAA

In an era of rapidly evolving cyber threats, institutional leaders face unprecedented challenges in protecting their organizations' digital assets and maintaining stakeholder trust. This candid dialogue brings together two seasoned executives navigating these complexities at major institutions: Upendra Mardikar, Chief Information Security Officer at TIAA, and Kendra Ketchum, Chief Information Officer at Indiana University. Through an interactive conversation, these leaders will share their most pressing cybersecurity concerns in the current threat landscape, from ransomware and supply chain vulnerabilities to insider threats and the security implications of emerging technologies. More importantly, they'll discuss the strategic approaches, organizational changes, and cultural shifts they're implementing to address these challenges within their respective sectors—financial services and higher education. Attendees will gain insight into how executive leaders balance competing priorities, allocate limited resources, and build security-aware cultures. This session is ideal for security leaders, IT executives, and anyone interested in understanding how organizational leadership approaches cybersecurity in an increasingly complex digital environment.

Thursday, March 5, 2026

Tracey Potter, The University of Tampa

Abstract on the Member's Wiki.

Andrew Januszak, Lehigh University; Tomomi Imamura, University of Wisconsin; Forest Crowley, Lehigh University; Jamie Glass, University of Wisconsin; Michael Bryant, Clemson University

Abstract on the Member's Wiki.

Sarah Bigham, REN-ISAC

Ransomware attacks on higher education institutions are increasing exponentially with some studies showing a 70% surge since 2022. The threat is significant with institutions facing the challenge of protecting sensitive data and ensuring operational continuity all while facing shrinking budgets. Key trends being observed include increased attack rates, sophistication of attacks, increased recovery costs, and an increase in ransom payments to name a few.

In this presentation, I will discuss the evolution of attacks, adversary trends, the pros and cons of paying the ransom, and methods for detecting attacks.

Friday, March 6, 2026

The 2026 REN-ISAC Member Meeting will feature a Capture the Flag (CTF) interactive session hosted by the Elastic team. The CTF is on Friday, March 6 from 1-4 PM ET (18:00-21:00 UTC). Registration for the CTF will close on Friday, February 27 at 8 AM ET (13:00 UTC). Make sure to register with your institutional email address to receive details about the event. Join us for some friendly competition and lots of fun! CTF is open to the public.

Monday, March 9, 2026

Jordan Barnartt, University of Waterloo

The University of Waterloo has implemented an Endpoint Detection and Response (EDR) solution for 11,000 endpoints, dramatically improving threat visibility -- and just as dramatically increasing alert volume for our 4-person Security Operations Centre (SOC).

I will demonstrate how we triage and investigate EDR alerts at scale, efficiently separating real incidents from false positives. I will walk through how we use Security Orchestration, Automation, and Response (SOAR) tools to standardize investigation steps, use multiple threat intel and internal context sources, and reach decisions more quickly. You'll leave with a practical approach to turning existing data into better decisions, with fewer analyst-hours spent.

Will Drake, Indiana University; Tim Daniel, Indiana University

New regulatory requirements and federal sponsor expectations, including cybersecurity expectations under NSPM-33, are likely to greatly expand the scope of cybersecurity and compliance across research institutions. Meeting these expectations effectively, without adding unnecessary burden on researchers, will take deliberate planning and an approach that emphasizes researcher support and institutionally-provided, compliant technical resources. This session will provide an update on emerging expectations, what institutions should expect next, and practical strategies for addressing these changes.

Register for Session

Michael Bryant, Clemson University

Abstract on the Members Wiki.

Tuesday, March 10, 2026

Jer Kong, University of Virginia

Abstract on the Member's Wiki.

Nick Lewis, Internet2; Isaac Galvan, EDUCAUSE; Charles Conner-Rondot, REN-ISAC

Abstract on the Member's Wiki.

Ian Washburn, University of Notre Dame

Federal cybersecurity policy is undergoing a fundamental shift—from one-way guidance and compliance expectations to a shared-responsibility model built on operational partnership. As initiatives like the Cybersecurity Centers of Excellence expand, higher education is emerging as a critical bridge between federal intent, private-sector capability, and community-level cyber resilience. Drawing on insights from national policy efforts, including the Redwood Project’s National Cyber Resilience Working Group, this presentation explores how colleges and universities can move beyond compliance to become trusted cyber anchors for their regions. Attendees will gain a practical understanding of evolving federal policy, new participation opportunities, and the role higher education must play in shaping cybersecurity outcomes that work in the real world.

Register for Session

Rob Carlsen, OmniSOC; Ian Washburn, University of Notre Dame

Abstract on Members Wiki.

Alpha Diallo, OmniSOC

Protecting higher education and research institutions requires a different approach than any other environment. OmniSOC provides a collaborative model for cyber defense, offering 24/7 threat detection and response specifically designed for the complexities of academic and research-heavy environments. OmniSOC collaborates with higher education and research communities to strengthen security and safeguard their critical data.

Register for Session

Kyle Enlow, REN-ISAC

Abstract on Memember's Wiki.

Wednesday, March 11, 2026

Louw Smith, Harvard University

Abstract on the Member's Wiki.

Richard Belisle, MSU Denver

If terms like Kerberoasting or unconstrained delegation sound familiar but you’re not quite sure what they mean, why they matter, or you’re simply curious about Active Directory security, this presentation is for you. Active Directory remains a cornerstone of identity management. It’s everywhere, notoriously challenging to evaluate, and a prime target for threat actors.

In this session, we’ll walk through how AD authentication actually works, break down common attack techniques, show you how to spot them in your own environment, and highlight the practical controls and best practices that truly strengthen your domain’s defenses.

Shane Albright, REN-ISAC; Emily Gladstone Cole, University of California, Berkeley; Christopher Clausen, National Center for Supercomputing Applications; Bartholomew Mallio, The Rockefeller University

Abstract on Member's Wiki.

Thursday, March 12, 2026

Joseph Karam, Princeton University; Steve Fullerton, Clemson University; Nicolas Colbert, Emory University

As higher education institutions increasingly rely on complex IT ecosystems, monitoring service maturity becomes critical for operational resilience and strategic growth. This expert panel will explore frameworks and best practices for assessing and advancing monitoring capabilities across diverse campus environments. We will discuss how institutions can align monitoring strategies with organizational goals, improve visibility into service health, and leverage automation in forecasting future trends. Panelists will share real-world examples of overcoming challenges in scaling monitoring maturity while balancing resource constraints. Attendees will gain actionable insights to strengthen their institution’s monitoring posture and support long-term service excellence.

Steven Bochniewicz, University of Maryland College Park

Abstract on the Member's Wiki.

Helen Patton, CISCO

Many security concerns haven't changed in years. But there are topics that security teams should be paying close attention to now, in new ways. In this session we will discuss four security things that should be on everyone's radar, and how to address them.

REN-ISAC

2026 REN-ISAC Member Meeting | March 2–12

Register Now: 2026 REN-ISAC Member Meeting

RIMM 2026 Schedule of Events

Monday, March 2, 2026

Tuesday, March 3, 2026

Wednesday, March 4, 2026

Thursday, March 5, 2026

Friday, March 6, 2026

Monday, March 9, 2026

Tuesday, March 10, 2026

Wednesday, March 11, 2026

Thursday, March 12, 2026

Our Sponsors

Research & Education Networks Information Sharing & Analysis Center

2026 REN-ISAC Member Meeting | March 2–12

Register Now: 2026 REN-ISAC Member Meeting

RIMM 2026 Schedule of Events

Monday, March 2, 2026

9:00 – 10:55 ET (14:00 - 15:55 UTC) REN-ISAC Executive Director and Directors Briefings (MO)

11:00 - 11:55 ET (16:00 - 16:55 UTC) The More It Changes, The More It Stays the Same (PB)

Tuesday, March 3, 2026

13:00 ET – 14:55 ET (18:00 - 18:55 UTC) REN-ISAC Executive Director and Directors Briefings (MO)

15:00 - 15:55 ET (20:00 - 20:55 UTC) Defending Beyond Defense (PB)

16:00 - 16:55 ET (21:00 - 21:55 UTC) The Power of Cyber Threat Intelligence Collaboration: Lessons from Canadian Higher Education (MO)

18:00 – 19:55 ET (23:00 - 24:55 UTC) REN-ISAC Executive Director and Directors Briefings (MO)

20:00 - 21:55 ET (1:00 - 2:55 UTC) Open Spaces (MO)

Wednesday, March 4, 2026

13:00 - 13:55 ET (18:00 - 18:55 UTC) Who Moved My Rock? Post-Quantum Cryptography and its Impact on Higher Education (PB)

14:00 - 14:55 ET (19:00 - 19:55 UTC) Securing Containers, Trapping Threats: Honeypots in Action (PB)

15:00 - 15:55 ET (20:00 - 20:55 UTC) Leadership Perspectives: What Keeps Our Executives Up at Night (PB)

18:00 - 18:55 ET (23:00 - 23:55 UTC) Open Spaces (MO)

19:00 – 20:55 ET (24:00 – 1:55 UTC) Social Hours (MO)

Thursday, March 5, 2026

10:00 - 10:55 ET (15:00 - 15:55 UTC) Still Dreaming of a Passwordless Future… (MO)

11:00 - 11:55 ET (16:00 -16:55 UTC) Community-Driven Security: REN-ISAC's Pentesting Offerings, Advantages, and On-ramps (MO)

14:00 - 14:55 ET (19:00 - 19:55 UTC) The State of Ransomware in Higher Education (PB)

15:00 - 15:55 ET (20:00 - 20:55 UTC) Open Spaces (MO)

Friday, March 6, 2026

13:00 - 16:00 ET (18:00 - 21:00 UTC) Elastic Capture the Flag Event (PB)

Monday, March 9, 2026

14:00 - 14:55 ET (18:00 - 18:55 UTC) "The computer did what now?": Lessons in Investigating and Automating EDR Alerts at Scale (PB)

15:00 - 15:55 ET (19:00 - 19:55 UTC) Supporting Research Under Expanding Cybersecurity Requirements (PB)

16:00 – 16:25 ET (20:00 – 20:25 UTC) How to Win Your Pentest (MO)

Tuesday, March 10, 2026

10:00 - 10:55 ET (14:00 - 14:55 UTC) Fake/ghost accounts at your institution? What are they doing? (MO)

11:00 - 11:55 ET (15:00 - 15:55 UTC) Get involved with EDUCAUSE, Internet2, and the REN-ISAC (MO)

13:00 - 13:55 ET (17:00 - 17:55 UTC) Bridging the Cyber Divide -Federal Policy, Higher Education, and the Future of Community Cyber Resilience (PB)

14:00 - 14:55 ET (18:00 - 18:55 UTC) OmniSOC and Notre Dame: Improving Detection through Pen Tests, Purple Teaming, and Working Together (MO)

15:00 – 15:25 ET (19:00 – 19:25 UTC) 24/7 Security Monitoring for Higher Ed and Research: An Overview of OmniSOC Services (PB)

15:30 – 15:55 ET (19:30 – 19:55 UTC) REN-ISAC information Security Assessment and Advisory Services: For Members, By Members (MO)

20:00 – 21:55 ET (24:00 – 1:55 UTC) Social Hours (MO)

Wednesday, March 11, 2026

11:00 - 12:00 ET (15:00 - 16:00 UTC) Moirai: Towards Threat Hunting Convergence with MCP (MO)

13:00 - 13:55 ET (17:00 - 17:55 UTC) Active Directory Security - 25 Years of Giving Up...NTDS.DIT (PB)

14:00 - 14:55 ET (18:00 - 18:55 UTC) Incident Response in Higher Education (MO)

Thursday, March 12, 2026

13:00 - 13:55 ET (17:00 - 17:55 UTC) Session details coming soon.

14:00 - 14:55 ET (18:00 - 18:55 UTC) Institutional Strategies for Monitoring Service Maturity (PB)

15:00 - 16:00 ET (19:00 - 20:00 UTC) Canaries for Clearing Out Your Phishing Mines (MO)

16:00 - 16:55 ET (20:00 - 20:55 UTC) What To Focus On Now (PB)

Our Sponsors