WG Review: Managed Incident Lightweight Exchange (mile)

The IESG <iesg-secretary@ietf.org> Fri, 28 June 2013 16:40 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E627B21F9B22; Fri, 28 Jun 2013 09:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.86
X-Spam-Status: No, score=-101.86 tagged_above=-999 required=5 tests=[AWL=0.740, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GNRJwYL3ziXY; Fri, 28 Jun 2013 09:40:17 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4645B21F9B10; Fri, 28 Jun 2013 09:40:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: WG Review: Managed Incident Lightweight Exchange (mile)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.51.p2
Message-ID: <20130628164017.27055.32231.idtracker@ietfa.amsl.com>
Date: Fri, 28 Jun 2013 09:40:17 -0700
Cc: mile WG <mile@ietf.org>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ietf@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 16:40:18 -0000

The Managed Incident Lightweight Exchange (mile) working group in the
Security Area of the IETF is undergoing rechartering. The IESG has not
made any determination yet. The following draft charter was submitted,
and is provided for informational purposes only. Please send your
comments to the IESG mailing list (iesg at ietf.org) by 2013-07-08.

Managed Incident Lightweight Exchange (mile)
Current Status: Active WG

  Kathleen Moriarty <Kathleen.Moriarty@emc.com>
  Brian Trammell <trammell@tik.ee.ethz.ch>

Assigned Area Director:
  Sean Turner <turners@ieca.com>

Mailing list
  Address: mile@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/mile
  Archive: http://www.ietf.org/mail-archive/web/mile/


The Managed Incident Lightweight Exchange (MILE) working group develops
standards to support computer and network security incident management;
an incident is an unplanned event that occurs in an information
technology (IT) infrastructure. An incident could be a benign
configuration issue, IT incident, an infraction to a service level
agreement (SLA), a system compromise, socially engineered phishing
attack, or a denial-of-service (DoS) attack, etc.  When an incident is
detected, or suspected, there may be a need for organizations to
collaborate. This collaboration effort may take several forms including
joint analysis, information dissemination, and/or a coordinated
operational response.  Examples of the response may include filing a
report, notifying the source of the incident, requesting that a third
party resolve/mitigate the incident, sharing select indicators of
compromise, or requesting that the source be located. By sharing
indicators of compromise associated with an incident or possible threat,
the information becomes a proactive defense for others that may include
mitigation options. The Incident Object Description Exchange Format
(IODEF) defines an information framework to represent computer and
network security incidents; IODEF is defined in RFC 5070 and has been
extended by RFC 5091 to support phishing reports; RFC 6484 provides a
template for defining extensions to IODEF. Real-time Inter-network
Defense (RID) defines a protocol to facilitate sharing computer and
network security incidents; RID is defined in RFC 6545, and RID over
HTTPS is defined in RFC 6546.

The MILE WG is focused on two areas, IODEF, the data format and
to represent incident and indicator data, and RID, the policy and
transport for structured data.  With respect to IODEF, the working group

- Revise the IODEF document to incorporate enhancements and extensions
based on operational experience. Use by Computer Security Incident
Response Teams (CSIRTs) and others has exposed the need to extend IODEF
to support industry specific extensions, use case specific content, and
representations to associate information related to represented threats
(system, threat actors, campaigns, etc.).  The value of information
sharing has been demonstrated and highlighted at an increasing rate
through the success of the Information Sharing and Analysis Centers
(ISACs) and the recent cyber security Executive Order in the US.
International groups, such as the Multinational Alliance for
Collaborative Cyber Situational Awareness (CCSA) have been running
experiments to determine what data is useful to exchange between
industries and nations to effectively mitigate threats.  The work of
these and other groups have identified or are working to develop data
representations relevant to their use cases that may compliment/extend
IODEF or be useful to exchange using RID and related transport protocols.

- Provide guidance on the implementation and use of IODEF to aid
implementers in developing interoperable specifications.

With respect to RID, the working group will:

- Define a resource-oriented approach to cyber security information
sharing that follows the REST architectural style. This mechanism will
allow CSIRTS to be more dynamic and agile in collaborating with a
broader, and varying constituency.

- Provide guidance on the implementation and use of RID transports based
on use cases.  The guidance document will show the relationship between
transport options (RID + RID transport and IODEF/RID + ROLIE) and may
identify the need for additional transport bindings.

- RID may require modifications to address data provenance, additional
policy options, or other changes now that there are multiple
interoperable implementations of RFC6545 and RFC6546.  With the RID
implementations in the open source community, increased use and
experimentation may demonstrate the need for a revision. 

  Aug 2013 - Submit a draft on the representation of Structured
Cybersecurity Information in IODEF to the IESG for publication as a
Standards Track RFC
  Aug 2013 - Submit a draft on enumeration reference formats for IODEF to
the IESG for publication as a Standards Track RFC
  Dec 2013 - Submit a draft on RESTful indicator exchange using IODEF/RID
to the IESG for publication as an Informational RFC
  Jan 2014 - Submit an update of RFC5070 to the IESG for publication as a
Standards Track RFC
  Apr 2014 - Submit a draft on guidance for IODEF applications to the
IESG for publication as an Informational RFC