[secdir] [new-work] WG Review: Managed Incident Lightweight Exchange (mile)

The IESG <iesg@ietf.org> Thu, 01 November 2018 03:03 UTC

Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 03EFD130E7E; Wed, 31 Oct 2018 20:03:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1541041435; bh=MOBeOMJ5p7d+owPgW6ZIBF/EsAJuSXLcC3zIJJPmFHs=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=ZlhDsfwjOFu5rFr0lXgZX+FRvQzBE2Yy6/4bhk2NbrOLhtgui8qcUqkwCV0RygV7I /HhuJPNr1WuAiI0PIwVUovR1V1uNhup3O5Hknk5CFLlN8gfj0QekI3gr9XvgbkahmZ EnhbkKsW9Y3HaNkgeplYFcrAuvlK0kiacfOwyfD4=
X-Mailbox-Line: From new-work-bounces@ietf.org Wed Oct 31 20:03:47 2018
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B140B130E96; Wed, 31 Oct 2018 20:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1541041411; bh=MOBeOMJ5p7d+owPgW6ZIBF/EsAJuSXLcC3zIJJPmFHs=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=Jf75V6XaXyKQg7SfS0BWHiAgPEQDegy7ncyqBscQGplpJbOfQ5axB9vyHCdn93Oyd F3qxS6CXZFQecbPym/r9ZOZjl9U8GbHGobZdRfoekh6i3vREQnoBU9OlsKBiHxuBM9 PUM1LO3XHpnw7eIP88Jup0RjFzqY89KTW0wy/sZE=
X-Original-To: new-work@ietf.org
Delivered-To: new-work@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id ED878130DF5 for <new-work@ietf.org>; Wed, 31 Oct 2018 20:03:22 -0700 (PDT)
MIME-Version: 1.0
From: The IESG <iesg@ietf.org>
To: <new-work@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.87.2
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Reply_to: <iesg@ietf.org>
Message-ID: <154104140296.5322.13562504299572757087.idtracker@ietfa.amsl.com>
Date: Wed, 31 Oct 2018 20:03:22 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/new-work/g_UMHJsGkJf8Cx_OU0Vw1XsD9rw>
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.29
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: new-work-bounces@ietf.org
Sender: "new-work" <new-work-bounces@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wdfjMxP3cNVbgq8zYGXGJ7R1-rg>
X-Mailman-Approved-At: Wed, 31 Oct 2018 20:10:18 -0700
Subject: [secdir] [new-work] WG Review: Managed Incident Lightweight Exchange (mile)
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 03:04:01 -0000

The Managed Incident Lightweight Exchange (mile) WG in the Security Area of
the IETF is undergoing rechartering. The IESG has not made any determination
yet. The following draft charter was submitted, and is provided for
informational purposes only. Please send your comments to the IESG mailing
list (iesg@ietf.org) by 2018-11-10.

Managed Incident Lightweight Exchange (mile)
Current status: Active WG

  Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
  Nancy Cam-Winget <ncamwing@cisco.com>

  David Waltermire <david.waltermire@nist.gov>

Assigned Area Director:
  Alexey Melnikov <aamelnikov@fastmail.fm>

Security Area Directors:
  Eric Rescorla <ekr@rtfm.com>
  Benjamin Kaduk <kaduk@mit.edu>

Mailing list:
  Address: mile@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/mile
  Archive: https://mailarchive.ietf.org/arch/browse/mile/

Group page: https://datatracker.ietf.org/group/mile/

Charter: https://datatracker.ietf.org/doc/charter-ietf-mile/

The Managed Incident Lightweight Exchange (MILE) working group develops
standards to support computer and network security incident management; an
incident is an unplanned event that occurs in an information technology (IT)
infrastructure. An incident could be a benign configuration issue, IT
incident, a system compromise, socially engineered phishing attack, or a
denial-of-service (DoS) attack, etc. When an incident is detected, or
suspected, there may be a need for organizations to collaborate. This
collaboration effort may take several forms including joint analysis,
information dissemination, and/or a coordinated operational response.
Examples of the response may include filing a report, notifying the source of
the incident, requesting that a third-party resolve/mitigate the incident,
sharing select indicators of compromise, or requesting that the source be
located. By sharing indicators of compromise associated with an incident or
possible threat, the information becomes a proactive defense for others that
may include mitigation options.

The MILE WG is focused on two areas: standardizing a data format for
representing incident and indicator data, and standardizing mappings into
application substrate protocols, such as HTTP and XMPP, for sharing the
structured data. With respect to the data format, the working group has
adopted the Incident Object Description Exchange Format (IODEF, RFC 7970) as
one exchange format and will continue to:

- Revise the IODEF document to incorporate enhancements and extensions based
on operational experience. Use by the Computer Security Incident Response
Teams (CSIRTs) and others has exposed the need to extend IODEF to support
industry specific extensions, use case specific content, and representations
to associate information related to represented threats (system, threat
actors, campaigns, etc.). The value of information sharing has been
demonstrated and highlighted at an increasing rate through the success of the
Information Sharing and Analysis Centers (ISACs). In addition, the
Multinational Alliance for Collaborative Cyber Situational Awareness (CCSA)
have been running experiments to determine what data is useful to exchange
between industries and nations to effectively mitigate threats. The work of
these and other groups have identified and continue to develop data
representations relevant to their use cases that may compliment/extend IODEF.

- Provide guidance on the implementation and use of IODEF to facilitate

Though the working group also adopted Real-time Inter-network Defense (RID,
RFC 6545) as further enabling information exchange of security policy, its
transport mechanism, based on the Simple Object Access Protocol (SOAP), led
to the second focus for MILE: adopting more modern transport through the
adoption of a RESTful interface through ROLIE (Resource-oriented lightweight
information exchange, RFC 8322) and the adoption of a publish-subscribe model
through XMPP-Grid (draft-ietf-mile-xmpp-grid). The MILE WG will continue to:

- Update and enhance these transport protocols to optimize their performance
and representations. More explicitly, documenting how ROLIE can transport
JSON representations.

- Define and document how these transport protocols can also be used to
support other security information exchange formats. For example, documenting
how ROLIE can transport STIX (Structured Threat Information Expression) data.
As STIX is a expression format defined by the OASIS consortium, the working
group will maintain a relationship with OASIS to ensure proper use,
compatibility and interoperability when using STIX.


  Dec 2018 - Submit a draft on XMPP Protocol Extensions for Use with IODEF

  Dec 2018 - Submit a draft on JSON bindings of IODEF to the IESG for
  publication as a Standards Track RFC

  Apr 2019 - Submit a draft on RESTful indicator exchange for CSIRT usage as
  an Informational RFC

new-work mailing list