* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Mile Status Pages

Managed Incident Lightweight Exchange (Active WG)
Sec Area: Eric Rescorla, Benjamin Kaduk | 2011-Oct-25 —  

2018-07-19 charter

Managed Incident Lightweight Exchange (mile)


 Current Status: Active

     Nancy Cam-Winget <ncamwing@cisco.com>
     Takeshi Takahashi <takeshi_takahashi@nict.go.jp>

 Security Area Directors:
     Benjamin Kaduk <kaduk@mit.edu>
     Eric Rescorla <ekr@rtfm.com>

 Security Area Advisor:
     Alexey Melnikov <aamelnikov@fastmail.fm>

     David Waltermire <david.waltermire@nist.gov>

 Mailing Lists:
     General Discussion: mile@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/mile
     Archive:            https://mailarchive.ietf.org/arch/browse/mile/

Description of Working Group:

  The Managed Incident Lightweight Exchange (MILE) working group develops
  standards to support computer and network security incident management;
  an incident is an unplanned event that occurs in an information
  technology (IT) infrastructure. An incident could be a benign
  configuration issue, IT incident, a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack, etc.  When an incident is
  detected, or suspected, there may be a need for organizations to
  collaborate. This collaboration effort may take several forms including
  joint analysis, information dissemination, and/or a coordinated
  operational response.  Examples of the response may include filing a
  report, notifying the source of the incident, requesting that a third
  party resolve/mitigate the incident, sharing select indicators of
  compromise, or requesting that the source be located. By sharing
  indicators of compromise associated with an incident or possible threat,
  the information becomes a proactive defense for others that may include
  mitigation options. The Incident Object Description Exchange Format
  (IODEF) defines an information framework to represent computer and
  network security incidents; IODEF is defined in RFC 5070 and has been
  extended by RFC 5091 to support phishing reports; RFC 6484 provides a
  template for defining extensions to IODEF. Real-time Inter-network
  Defense (RID) defines a protocol to facilitate sharing computer and
  network security incidents; RID is defined in RFC 6545, and RID over
  HTTPS is defined in RFC 6546.

  The MILE WG is focused on two areas: IODEF, the data format and extensions
  to represent incident and indicator data, and RID, the policy and
  transport for structured data.  With respect to IODEF, the working group

  - Revise the IODEF document to incorporate enhancements and extensions
  based on operational experience. Use by Computer Security Incident
  Response Teams (CSIRTs) and others has exposed the need to extend IODEF
  to support industry specific extensions, use case specific content, and
  representations to associate information related to represented threats
  (system, threat actors, campaigns, etc.).  The value of information
  sharing has been demonstrated and highlighted at an increasing rate
  through the success of the Information Sharing and Analysis Centers
  (ISACs) and the recent cyber security Executive Order in the US.
  International groups, such as the Multinational Alliance for
  Collaborative Cyber Situational Awareness (CCSA) have been running
  experiments to determine what data is useful to exchange between
  industries and nations to effectively mitigate threats.  The work of
  these and other groups have identified or are working to develop data
  representations relevant to their use cases that may compliment/extend
  IODEF or be useful to exchange using RID and related transport protocols.

  - Provide guidance on the implementation and use of IODEF to aid
  implementers in developing interoperable specifications.

  With respect to RID, the working group will:

  - Define a resource-oriented approach to cyber security information
  sharing that follows the REST architectural style. This mechanism will
  allow CSIRTS to be more dynamic and agile in collaborating with a
  broader, and varying constituency.

  - Provide guidance on the implementation and use of RID transports based
  on use cases.  The guidance document will show the relationship between
  transport options (RID + RID transport and IODEF/RID + ROLIE) and may
  identify the need for additional transport bindings.

  - RID may require modifications to address data provenance, additional
  policy options, or other changes now that there are multiple
  interoperable implementations of RFC6545 and RFC6546.  With the RID
  implementations in the open source community, increased use and
  experimentation may demonstrate the need for a revision.

Goals and Milestones:
  Done     - Submit a draft on the representation of Structured Cybersecurity Information in IODEF to the IESG for publication as a Standards Track RFC
  Done     - Submit a draft on enumeration reference formats for IODEF to the IESG for publication as a Standards Track RFC
  Done     - Submit an update of RFC5070 to the IESG for publication as a Standards Track RFC
  Done     - Submit a draft on RESTful indicator exchange using IODEF/RID to the IESG for publication as an Informational RFC
  Done     - Submit a draft on guidance for IODEF applications to the IESG for publication as an Informational RFC
  Dec 2018 - Submit a draft on XMPP Protocol Extensions for Use with IODEF
  Dec 2018 - Submit a draft on JSON bindings of IODEF to the IESG for publication as a Standards Track RFC
  Apr 2019 - Submit a draft on RESTful indicator exchange for CSIRT usage as an Informational RFC

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/mile/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -