Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.

Slides:

Advertisements

Similar presentations

CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well MORE INFO: -ECN.

Advertisements

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)

Tony Rutkowski Yaana Technologies Georgia Tech Q.4/17 Rapporteur

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

Operational Cyber Threat Intelligence:

SACM Terminology Nancy Cam-Winget, David Waltermire, March.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.

WRAP Technical Support System Project Update AoH Call October 19, 2005.

WHY CENTRALIZED DATA BANKS WON’T WORK FOR HEALTH INFORMATION EXCHANGE (A Lightweight Approach to Implementing a Federated Model for HIE) Rex E. Gantenbein.

Common Log Format (CLF) DISPATCH ad hoc – IETF 75 Spencer Dawkins Theo Zourzouvillys

CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.

PPSP Working Group IETF-89 London, UK 16:10-18:40, Tuesday, Webex: participation.html.

Automated XML Content Data Exchange and Management draft-waltermire-content-repository-00

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.

IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.

Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.

Netconf Monitoring IETF 70 Mark Scott Sharon Chisholm Hector Trevino

Copyright © 2004 by The Web Services Interoperability Organization (WS-I). All Rights Reserved 1 Interoperability: Ensuring the Success of Web Services.

SIPREC Conference Recording (draft-kyzivat-siprec-conference-use-cases-01) IETF 89, March 7, 2014 Authors: Michael Yan, Paul Kyzivat, Simon Romano.

DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

Incident Object Description and Exchange Format

Machine to Machine Interface Update 1 Machine-to-Machine Interface Update January 10, 2007 Daryl Shing.

Ocean Observatories Initiative Data Management (DM) Subsystem Overview Michael Meisinger September 29, 2009.

Engineering Essential Characteristics Security Engineering Process Overview.

IETF #81 DRINKS WG Meeting Québec City, QC, Canada Tue, July 26 th, 2011.

Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.

1 SGIP PAP 11 PEV V2G DEWG Dec 2-3, 2010 Grid InterOp 2010 Eric Simmon, NIST Jerry Melcher, EnerNex SGIP PAP 11 PEV V2G DEWG Grid InterOp 2010 Meeting.

Peer to Peer Streaming Protocol (PPSP) BOF Gonzalo Camarillo Ericsson Yunfei Zhang China Mobile IETF76, Hiroshima, Japan 13:00~15:00 THURSDAY, Nov 12,

CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well.

Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Dissuasion, Working Group Scope and Deliverables Lou Berger Pat Thaler

Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.

Mary Barnes (WG co-chair) Cullen Jennings (WG co-chair) DISPATCH WG IETF 90.

MODERN BoF Managing, Ordering, Distributing, Exposing, and Registering telephone Numbers IETF 92.

 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. SOA-RM Overview and relation with SEE Adrian Mocan

INCident Handling BOF (INCH) Thursday, March IETF 53.

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: The MITRE Corporation TAXII: An Overview.

SIPREC Requirements for Media Recording using SIP IETF 77, Anaheim Ken Rehor on behalf of the team Draft authors: K. Rehor, A. Hutton, L. Portman, R. Jain,

WREC Working Group IETF 49, San Diego Co-Chairs: Mark Nottingham Ian Cooper WREC Working Group.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

Asset Summary Reporting draft-davidson-sacm-asr-00 David Waltermire

IETF 83 CloudLog Gene Golovinsky March 25-30, 2012.

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.

SACM Vulnerability Assessment Scenario IETF 95 04/05/2016.

Proactive Incident Response

Stephen Banghart Dave Waltermire

Incident Object Description and Exchange Format

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

RADEXT WG RADIUS Attribute Guidelines

GEA CoP DRM Briefing for July 13 Meeting with Andy Hoskinson

Integrated Cyber Defense Working Group (ICD WG) Introduction

ROLIE: Resource-Oriented Lightweight Indicator Exchange

Detection and Analysis of Threats to the Energy Sector (DATES)

Cyber Security coordination in Europe CERT-EU’s perspective

Security Automation Standards Landscape

Conference on National Platforms for SDG Reporting

draft-ipdvb-sec-01.txt ULE Security Requirements

Coordinated Security Response

Global Grid Forum (GGF) Orientation

Presentation transcript:

Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office

Agenda  IETF’s Managed Incident Lightweight Exchange (MILE) –Overview and Scope –Charter & documents –Data formats –Transport  How can I help? –End users, developers, implementers, vendors, etc.

MILE: Solving Interoperable Exchanges  Share, consume, process, and amend indicator and incident data –Enable easy processing and use by ▪Incident Management Systems, ▪Security Information and Event Management systems (SIEM), ▪intrusion detection systems, etc. –Intelligence feeds for situational awareness –Enable risk-based prioritization for remediation and defensive actions –Intended as a wire format  Provide not only a common format, but also an architecture and protocol exchange –Enabling interoperable peer-to-peer, repository access, and federated exchanges with publish/subscribe capabilities Data

Scope of Data Formats Classes of DataDescription 1Cyber Intelligence Analysis Describes the characteristics of the threat 2Cyber Incident Reporting Describes a particular cyber event 3Cyber Event Mitigation Describes a proactive or reactive mitigation 4Cyber Information Sharing Describes the meta-data necessary to share information with a third party  Questions to refine the scope and updates to IODEF will be covered on the mailing list over the next 2 –The data tracker is in use to track issues, comments and feedback is requested on scope and issues. Please post them to the mailing list. Your contributions will shape IODEF v2. – –IODEF v2 is planned for publication January 2014! Chart presented by Roman Danyliw at IETF-87

Overview  Updated Charter: –  Current list of documents:  –RFC5070-bis –IODEF Enumeration Reference Format –Structured Cybersecurity Information (SCI) –IODEF Guidance –RESTful indicator exchange using IODEF/RID

IODEF Data Model Supports Enterprise, CSIRT, and Service Provider Operations Internationalization support –Various Encodings –Translations Data handling labels –Sensitivity (includes TLP) –Confidence Extensibility of attributes and adding new elements Predicate logic under review in IODEF Guidance document Commonly exchanged indicator data representation –e.g., IP addresses, ports, protocols, applications, etc. Context rich to support indicator and incident information –History and requested actions Exploit and vulnerability references –Enumeration draft Forensics information – is more needed? iodef:EventData iodef:Descriptioniodef:DetectTimeiodef:StartTimeiodef:EndTimeiodef:Contactiodef:Assessmentiodef:Methodiodef:Flowiodef:Expectationiodef:Recordiodef:EventDataiodef:AdditionalData IODEF:Incident iodef:IncidentIDiodef:AlternativeIDiodef:RelatedActivityiodef:DetectTimeiodef:StartTimeiodef:EndTimeiodef:ReportTimeiodef:Assessmentiodef:Methodiodef:Contactiodef:EventDataiodef:Historyiodef:AdditionalData

Structured Cybersecurity Information (SCI) and Enumeration Reference Format drafts Drafts are in final review stages and will be integrated into IODEF v2  SCI draft provides consistent extension points for stand- alone schemas to be embedded in IODEF as extensions. –Extension points include: ▪AttackPattern ▪Vulnerability ▪Weakness ▪Platform ▪EventReport ▪Verification ▪Remediation –Example schemas may include ▪MMDEF, XCCDF, ACEML, OVAL, etc.  Enumeration Reference Format draft provides a consistent format for parsing reference values, such as a vulnerability number, for example CVE

MILE Incident & Indicator Exchanges Communication and Searches from Providers & Trusted Entities Detection & Security Systems RID ROLIE Indicator System Incident Mgmt Partner, Peer, Service Provider Trusted Entity Analysis Center Sharing Group RFC6545 & RFC6546 Automate exchange ofwatch lists of indicators to address many use cases such as anti-phishing, DDoS, eCrime, etc.

How Can I help?  Participate in the IETF MILE working group: –Meetings are held three times a year ▪Meeting dates/times can be found at: ▪Participation can be in person or remote via MeetEcho ▪All decisions are finalized on the mailing list –Join mailing ▪Participate in an existing thread ▪Start a thread on any questions based on review of a draft ▪Start a thread on work to be proposed related to MILE  Review implementation list: –  Contribute to open source code: –  Provide feedback on code and associated RFCs and drafts