Hello,
This email is to announce that we will be holding a side meeting for a
pre-working group to review the proposed charter and some of the work to be
completed in the proposed group. The side meeting will take place Monday, July
25th following the Technical Plenary, at 19:30 PM.
Thank you,
Kathleen & Brian
Managed Incident Lightweight Exchange (mile)
--------------------------------------------
Proposed Working Group Charter
Chairs:
Kathleen Moriarty
<kathleen(_dot_)moriarty(_at_)emc(_dot_)com<mailto:kathleen(_dot_)moriarty(_at_)emc(_dot_)com>>
Brian Trammell
<trammell(_at_)tik(_dot_)ee(_dot_)ethz(_dot_)ch<mailto:trammell(_at_)tik(_dot_)ee(_dot_)ethz(_dot_)ch>>
Security Area Directors:
Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie<mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>>
Sean Turner
<turners(_at_)ieca(_dot_)com<mailto:turners(_at_)ieca(_dot_)com>>
Security Area Advisor:
Sean Turner
<turners(_at_)ieca(_dot_)com<mailto:turners(_at_)ieca(_dot_)com>>
Mailing Lists:
General Discussion:
mile(_at_)ietf(_dot_)org<mailto:mile(_at_)ietf(_dot_)org>
To Subscribe: http://www.ietf.org/mailman/listinfo/mile
Archive: http://www.ietf.org/mail-archive/web/mile
Description of Working Group:
The Managed Incident Lightweight Exchange (MILE) pre-working group will develop
standards and extensions for the purpose of improving incident information
sharing and handling capabilities based on the work developed in the IETF
Extended INCident Handling (INCH) working group. The Incident Object
Description Exchange Format (IODEF) in RFC5070 and Real-time Inter-network
Defense (RID) in RFC6045 were developed in the INCH working group by
international Computer Security Incident Response Teams (CSIRTs) and industry
to meet the needs of a global community interested in sharing, handling, and
exchanging incident information. The extensions and guidance created by the
MILE working group assists with the daily operations of CSIRTs at an
organization, service provider, law enforcement, and at the country level. The
application of IODEF and RID to interdomain incident information cooperative
exchange and sharing has recently expanded and the need for extensions has
become more im
portant. Efforts continue to deploy IODEF and RID, as well as to extend them
to support specific use cases covering reporting and mitigation of current
threats such as anti-phishing extensions.
An incident could be a benign configuration issue, IT incident, an infraction
to a service level agreement (SLA), a system compromise, socially engineered
phishing attack, or a denial-of-service (DoS) attack, etc.. When an incident
is detected, the response may include simply filing a report, notification to
the source of the incident, a request to a third party for
resolution/mitigation, or a request to locate the source. IODEF defines a data
representation that provides a standard format for sharing information commonly
exchanged about computer security incidents. RID enables the secure exchange
of incident related information in an IODEF format providing options for
security, privacy, and policy setting.
MILE leverages collaboration and sharing experiences with the work developed in
the INCH working group which includes the data model detailed in the IODEF,
existing extensions to the IODEF for Anti-phishing (RFC5901), and RID (RFC6045,
RFC6046) for the secure exchange of information. MILE will also leverage the
experience gained in using IODEF and RID in operational contexts. Related work,
drafted outside of INCH will also be reviewed and includes RFC5941, Sharing
Transaction Fraud Data.
The MILE working group provides coordination for these various extension
efforts to improve the capabilities for exchanging incident information. MILE
has several objectives with the first being a description a subset of IODEF
focused on ease of deployment and applicability to current information security
data sharing use cases. MILE also describes a generalization of RID for secure
exchange of other security-relevant XML formats. MILE produces additional
guidance needed for the successful exchange of incident information for new use
cases according to policy, security, and privacy requirements. Finally, MILE
produces a document template with guidance for defining IODEF extensions to be
followed when producing extensions to IODEF as appropriate, for:
* labeling incident reports with data protection, data retention, and other
policies, regulations, and
laws restricting the handling of those reports
* reporting on mail service abuse incidents
* reporting forensic data generated during incident investigation
* reporting indicators of compromise in incident reports
* reporting on financial fraud incidents
* reporting incidents involving virtualized environments
* referencing SCAP enumerations from within incident reports
* profiling and reporting on characteristics of malware suspected or
confirmed to be involved in an incident
* profiling and reporting on characteristics of actors (persons or groups)
suspected or confirmed to be
involved in an incident
* reporting on misuse incidents
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf