Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office Agenda IETF’s Managed Incident Lightweight Exchange (MILE) – – – – Overview and Scope Charter & documents Data formats Transport How can I help? – End users, developers, implementers, vendors, etc. MILE: Solving Interoperable Exchanges Data Share, consume, process, and amend indicator and incident data – Enable easy processing and use by ▪ Incident Management Systems, ▪ Security Information and Event Management systems (SIEM), ▪ intrusion detection systems, etc. – Intelligence feeds for situational awareness – Enable risk-based prioritization for remediation and defensive actions – Intended as a wire format Provide not only a common format, but also an architecture and protocol exchange – Enabling interoperable peer-to-peer, repository access, and federated exchanges with publish/subscribe capabilities Scope of Data Formats Classes of Data Description 1 Cyber Intelligence Analysis Describes the characteristics of the threat 2 Cyber Incident Reporting Describes a particular cyber event 3 Cyber Event Mitigation Describes a proactive or reactive mitigation 4 Cyber Information Sharing Describes the meta-data necessary to share information with a third party Questions to refine the scope and updates to IODEF will be covered on the [email protected] mailing list over the next 2 months – The data tracker is in use to track issues, comments and feedback is requested on scope and issues. Please post them to the mailing list. Your contributions will shape IODEF v2. – http://tools.ietf.org/wg/mile/trac/report/1 – IODEF v2 is planned for publication January 2014! Chart presented by Roman Danyliw at IETF-87 Overview Updated Charter: – http://datatracker.ietf.org/wg/mile/charter/ Current list of documents: http://datatracker.ietf.org/wg/mile/ – – – – – RFC5070-bis IODEF Enumeration Reference Format Structured Cybersecurity Information (SCI) IODEF Guidance RESTful indicator exchange using IODEF/RID IODEF:Incident IODEF Data Model • Supports Enterprise, CSIRT, and Service Provider Operations • Internationalization support – – Various Encodings Translations iodef:IncidentID iodef:AlternativeID iodef:RelatedActivity iodef:DetectTime • Data handling labels – – Sensitivity (includes TLP) Confidence • Extensibility of attributes and adding new elements • Predicate logic under review in IODEF Guidance document • Commonly exchanged indicator data representation – e.g., IP addresses, ports, protocols, applications, etc. • Context rich to support indicator and incident information – History and requested actions • Exploit and vulnerability references – Enumeration draft • Forensics information – is more needed? iodef:StartTime iodef:EndTime iodef:EventData iodef:Description iodef:DetectTime iodef:StartTime iodef:EndTime iodef:Contact iodef:ReportTime iodef:Assessment iodef:Assessment iodef:Method iodef:Method iodef:Flow iodef:Contact iodef:Expectation iodef:EventData iodef:Record iodef:History iodef:EventData iodef:AdditionalData iodef:AdditionalData Structured Cybersecurity Information (SCI) and Enumeration Reference Format drafts Drafts are in final review stages and will be integrated into IODEF v2 SCI draft provides consistent extension points for standalone schemas to be embedded in IODEF as extensions. – Extension points include: ▪ ▪ ▪ ▪ ▪ ▪ ▪ AttackPattern Vulnerability Weakness Platform EventReport Verification Remediation – Example schemas may include ▪ MMDEF, XCCDF, ACEML, OVAL, etc. Enumeration Reference Format draft provides a consistent format for parsing reference values, such as a vulnerability number, for example CVE MILE Incident & Indicator Exchanges Communication and Searches from Providers & Trusted Entities Analysis Center Sharing Group ROLIE RID Detection & Security Systems Indicator System Incident Mgmt RFC6545 & RFC6546 Trusted Entity Partner, Peer, Service Provider Automate exchange ofwatch lists of indicators to address many use cases such as anti-phishing, DDoS, eCrime, etc. How Can I help? Participate in the IETF MILE working group: – Meetings are held three times a year ▪ Meeting dates/times can be found at: http://www.ietf.org ▪ Participation can be in person or remote via MeetEcho ▪ All decisions are finalized on the mailing list – Join [email protected] mailing list ▪ Participate in an existing thread ▪ Start a thread on any questions based on review of a draft ▪ Start a thread on work to be proposed related to MILE Review implementation list: – http://siis.realmv6.org/implementations/ Contribute to open source code: – https://github.com/RSAIntelShare Provide feedback on code and associated RFCs and drafts Thank you!