IETF Logo Mail Archive

[mile] MILE Charter and Milestones

<kathleen.moriarty@emc.com> Thu, 08 September 2011 16:51 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60B3A21F8797 for <mile@ietfa.amsl.com>; Thu, 8 Sep 2011 09:51:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.3
X-Spam-Level:
X-Spam-Status: No, score=-6.3 tagged_above=-999 required=5 tests=[AWL=0.299, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VScv1BKX01s for <mile@ietfa.amsl.com>; Thu, 8 Sep 2011 09:51:32 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4A8AB21F86A5 for <mile@ietf.org>; Thu, 8 Sep 2011 09:51:31 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p88GrNsE012979 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <mile@ietf.org>; Thu, 8 Sep 2011 12:53:23 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.222.130]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor) for <mile@ietf.org>; Thu, 8 Sep 2011 12:53:09 -0400
Received: from mxhub20.corp.emc.com (mxhub20.corp.emc.com [10.254.93.49]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p88Gr7dS008089 for <mile@ietf.org>; Thu, 8 Sep 2011 12:53:08 -0400
Received: from mx06a.corp.emc.com ([169.254.1.225]) by mxhub20.corp.emc.com ([10.254.93.49]) with mapi; Thu, 8 Sep 2011 12:49:28 -0400
From: kathleen.moriarty@emc.com
To: mile@ietf.org
Date: Thu, 08 Sep 2011 12:49:27 -0400
Thread-Topic: MILE Charter and Milestones
Thread-Index: AcxuR0U+ABS1699SQe2haPjTGvcrIg==
Message-ID: <AE31510960917D478171C79369B660FA0E08DAE383@MX06A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: [mile] MILE Charter and Milestones
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 16:51:33 -0000

Hello,

Thank you for your participation in this pre-working group effort.  The working proposed charter is attached below for comment and review.  Initial milestones have been proposed for our first set of work items and agreed to by editors.  A few of the draft documents have not been posted yet, but are expected to have at least an initial draft prior to the submission deadline for the November meeting (10/24/11).  We can expand the charter to include more documents as we progress other work in the future.  If there are additional documents in which the editors have plans to publish a draft prior to November, please let us know as soon as possible so we can amend the list as appropriate.

Many thanks, and best regards,

Brian and Kathleen



Managed Incident Lightweight Exchange (mile)
--------------------------------------------

Proposed Working Group Charter

Chairs:
    Kathleen Moriarty <kathleen.moriarty@emc.com<mailto:kathleen.moriarty@emc.com>>
    Brian Trammell <trammell@tik.ee.ethz.ch<mailto:trammell@tik.ee.ethz.ch>>

Security Area Directors:
    Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>>
    Sean Turner <turners@ieca.com<mailto:turners@ieca.com<mailto:turners@ieca.com<mailto:turners@ieca.com>>>

Security Area Advisor:
    Sean Turner <turners@ieca.com<mailto:turners@ieca.com>>

Mailing Lists:
    General Discussion: mile@ietf.org<mailto:mile@ietf.org>
    To Subscribe:       http://www.ietf.org/mailman/listinfo/mile
    Archive:            http://www.ietf.org/mail-archive/web/mile

Description:

The Managed Incident Lightweight Exchange (MILE) pre-working group will develop standards and extensions for the purpose of improving incident information sharing and handling capabilities based on the work developed in the IETF Extended INCident Handling (INCH) working group.  The Incident Object Description Exchange Format (IODEF) in RFC5070 and Real-time Inter-network Defense (RID) in RFC6045 were developed in the INCH working group by international Computer Security Incident Response Teams (CSIRTs) and industry to meet the needs of a global community interested in sharing, handling, and exchanging incident information.  The extensions and guidance created by the MILE working group assists with the daily operations of CSIRTs at an organization, service provider, law enforcement, and at the country level.  The application of IODEF and RID to interdomain incident information cooperative exchange and sharing has recently expanded and the need for extensions has become more important. Efforts continue to deploy IODEF and RID, as well as to extend them to support specific use cases covering reporting and mitigation of current threats such as anti-phishing extensions.

An incident could be a benign configuration issue, IT incident, an infraction to a service level agreement (SLA), a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack, etc..  When an incident is detected, the response may include simply filing a report, notification to the source of the incident, a request to a third party for resolution/mitigation, or a request to locate the source.  IODEF defines a data representation that provides a standard format for sharing information commonly exchanged about computer security incidents.  RID enables the secure exchange of incident related information in an IODEF format providing options for security, privacy, and policy setting.

MILE leverages collaboration and sharing experiences with the work developed in the INCH working group which includes the data model detailed in the IODEF, existing extensions to the IODEF for Anti-phishing (RFC5901), and RID (RFC6045, RFC6046) for the secure exchange of information.  MILE will also leverage the experience gained in using IODEF and RID in operational contexts. Related work, drafted outside of INCH will also be reviewed and includes RFC5941, Sharing Transaction Fraud Data.

The MILE working group provides coordination for these various extension efforts to improve the capabilities for exchanging incident information.  MILE has several objectives with the first being a description a subset of IODEF focused on ease of deployment and applicability to current information security data sharing use cases.  MILE also describes a generalization of RID for secure exchange of other security-relevant XML formats.  MILE produces additional guidance needed for the successful exchange of incident information for new use cases according to policy, security, and privacy requirements.  Finally, MILE produces a document template with guidance for defining IODEF extensions to be followed when producing extensions to IODEF as appropriate, for:

 * labeling incident reports with data protection, data retention, and other policies, regulations, and
   laws restricting the handling of those reports
 * referencing SCAP enumerations from within incident reports

The initial milestones for MILE include the following documents:
 * Template for extensions to IODEF: draft-trammell-mile-template-01.txt
   Working group last call: December 2011
 * Expert Review for IODEF Extensions in IANA XML Registry: draft-trammell-mile-iodef-xmlreg-00.txt
   Working group last call: December 2011
 * IODEF-extension to support structured cybersecurity information: draft-takahashi-mile-sci-00.txt
   Achieve consensus on approach: March 2012
 * Labeling for data protection, retention, policies, and regulations: draft-goodier-mile-data-markers-00.txt
   Achieve consensus on approach: March 2012
 * GRC Report Exchange (Generalized RID for XML reports/documents): draft-moriarty-mile-grc-exchange-00.txt
   Achieve consensus on approach for LI-XML and GRC-XML reports: May 2012
 * IODEF Guidance: draft-millar-mile-iodef-guidance-00.txt
   Achieve consensus on approach: March 2012
 * Forensics extension: draft expected to be submitted prior to submission deadline for November meeting
   Achieve consensus on approach: July 2012



__________________________________________________________________________________
Associated documents that may move forward before wG (comments needed by October):

Real-time Inter-network Defense (RID)
http://tools.ietf.org/html/draft-moriarty-mile-rfc6045-bis-01

Transport of Real-time Inter-network Defense (RID) Messages
http://tools.ietf.org/id/draft-trammell-mile-rfc6046-bis-00.txt


Documents to be added later:
 * reporting on mail service abuse incidents
 * reporting forensic data generated during incident investigation
 * reporting indicators of compromise in incident reports
 * reporting on financial fraud incidents
 * reporting incidents involving virtualized environments
 * profiling and reporting on characteristics of actors (persons or groups) suspected or confirmed to be
   involved in an incident
 * reporting on misuse incidents

May be covered in SCAP extension already:
 * profiling and reporting on characteristics of malware suspected or confirmed to be involved in an incident

v2.23.0 | Report a Bug | By Email