ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

MILE side meeting, IETF81 in Quebec, Monday night July 25th

2011-07-11 09:31:23
from [Brian Trammell] [Permanent Link] 
Greetings, all,

To help us plan a bit for the (previously-announced) MILE pre-WG side meeting 
in Quebec, 19:30 Monday 25 July, after the technical plenary meeting, please 
let us know if you are interested in attending by filling out the doodle at:

http://www.doodle.com/e2w494tce6knmq6m

The working proposed charter is attached below for reference. Further details 
will be announced later.

Many thanks, and best regards,

Brian and Kathleen

Managed Incident Lightweight Exchange (mile)
--------------------------------------------

Proposed Working Group Charter

Chairs:
    Kathleen Moriarty <kathleen(_dot_)moriarty(_at_)emc(_dot_)com>
    Brian Trammell <trammell(_at_)tik(_dot_)ee(_dot_)ethz(_dot_)ch>

Security Area Directors:
    Stephen Farrell 
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie<mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>>
    Sean Turner 
<turners(_at_)ieca(_dot_)com<mailto:turners(_at_)ieca(_dot_)com>>

Security Area Advisor:
    Sean Turner <turners(_at_)ieca(_dot_)com>

Mailing Lists:
    General Discussion: mile(_at_)ietf(_dot_)org
    To Subscribe:       http://www.ietf.org/mailman/listinfo/mile
    Archive:            http://www.ietf.org/mail-archive/web/mile

Description:

The Managed Incident Lightweight Exchange (MILE) pre-working group will develop 
standards and extensions for the purpose of improving incident information 
sharing and handling capabilities based on the work developed in the IETF 
Extended INCident Handling (INCH) working group.  The Incident Object 
Description Exchange Format (IODEF) in RFC5070 and Real-time Inter-network 
Defense (RID) in RFC6045 were developed in the INCH working group by 
international Computer Security Incident Response Teams (CSIRTs) and industry 
to meet the needs of a global community interested in sharing, handling, and 
exchanging incident information.  The extensions and guidance created by the 
MILE working group assists with the daily operations of CSIRTs at an 
organization, service provider, law enforcement, and at the country level.  The 
application of IODEF and RID to interdomain incident information cooperative 
exchange and sharing has recently expanded and the need for extensions has 
become more im
portant. Efforts continue to deploy IODEF and RID, as well as to extend them to 
support specific use cases covering reporting and mitigation of current threats 
such as anti-phishing extensions.

An incident could be a benign configuration issue, IT incident, an infraction 
to a service level agreement (SLA), a system compromise, socially engineered 
phishing attack, or a denial-of-service (DoS) attack, etc..  When an incident 
is detected, the response may include simply filing a report, notification to 
the source of the incident, a request to a third party for 
resolution/mitigation, or a request to locate the source.  IODEF defines a data 
representation that provides a standard format for sharing information commonly 
exchanged about computer security incidents.  RID enables the secure exchange 
of incident related information in an IODEF format providing options for 
security, privacy, and policy setting.

MILE leverages collaboration and sharing experiences with the work developed in 
the INCH working group which includes the data model detailed in the IODEF, 
existing extensions to the IODEF for Anti-phishing (RFC5901), and RID (RFC6045, 
RFC6046) for the secure exchange of information.  MILE will also leverage the 
experience gained in using IODEF and RID in operational contexts. Related work, 
drafted outside of INCH will also be reviewed and includes RFC5941, Sharing 
Transaction Fraud Data.

The MILE working group provides coordination for these various extension 
efforts to improve the capabilities for exchanging incident information.  MILE 
has several objectives with the first being a description a subset of IODEF 
focused on ease of deployment and applicability to current information security 
data sharing use cases.  MILE also describes a generalization of RID for secure 
exchange of other security-relevant XML formats.  MILE produces additional 
guidance needed for the successful exchange of incident information for new use 
cases according to policy, security, and privacy requirements.  Finally, MILE 
produces a document template with guidance for defining IODEF extensions to be 
followed when producing extensions to IODEF as appropriate, for:

 * labeling incident reports with data protection, data retention, and other 
policies, regulations, and
   laws restricting the handling of those reports
 * reporting on mail service abuse incidents
 * reporting forensic data generated during incident investigation
 * reporting indicators of compromise in incident reports
 * reporting on financial fraud incidents
 * reporting incidents involving virtualized environments
 * referencing SCAP enumerations from within incident reports
 * profiling and reporting on characteristics of malware suspected or confirmed 
to be involved in an incident
 * profiling and reporting on characteristics of actors (persons or groups) 
suspected or confirmed to be
   involved in an incident
 * reporting on misuse incidents

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  secdir review of draft-ietf-6man-flow-3697bis, Richard L. Barnes
Next by Date:  Re: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard, Julian Reschke
Previous by Thread:  secdir review of draft-ietf-6man-flow-3697bis, Richard L. Barnes
Next by Thread:  RE: [mile] MILE side meeting, IETF81 in Quebec, Monday night July 25th, kathleen.moriarty
Indexes:  [Date] [Thread] [Top] [All Lists]