Managed Incident
Lightweight
Exchange (MILE)
Overview and Participation
Kathleen Moriarty
Global Lead Security Architect
EMC Corporate CTO Office
Agenda
 IETF’s Managed Incident Lightweight
Exchange (MILE)
–
–
–
–
Overview and Scope
Charter & documents
Data formats
Transport
 How can I help?
– End users, developers, implementers, vendors,
etc.
MILE: Solving Interoperable Exchanges
Data
 Share, consume, process, and amend indicator and
incident data
– Enable easy processing and use by
▪ Incident Management Systems,
▪ Security Information and Event Management systems (SIEM),
▪ intrusion detection systems, etc.
– Intelligence feeds for situational awareness
– Enable risk-based prioritization for remediation and
defensive actions
– Intended as a wire format
 Provide not only a common format, but also an
architecture and protocol exchange
– Enabling interoperable peer-to-peer, repository access, and
federated exchanges with publish/subscribe capabilities
Scope of Data Formats
Classes of Data
Description
1
Cyber Intelligence
Analysis
Describes the characteristics of the threat
2
Cyber Incident
Reporting
Describes a particular cyber event
3
Cyber Event
Mitigation
Describes a proactive or reactive
mitigation
4
Cyber Information
Sharing
Describes the meta-data necessary to
share information with a third party
 Questions to refine the scope and updates to IODEF will be
covered on the mile@ietf.org mailing list over the next 2 months
– The data tracker is in use to track issues, comments and feedback is
requested on scope and issues. Please post them to the mailing list.
Your contributions will shape IODEF v2.
– http://tools.ietf.org/wg/mile/trac/report/1
– IODEF v2 is planned for publication January 2014!
Chart presented by Roman Danyliw at IETF-87
Overview
 Updated Charter:
– http://datatracker.ietf.org/wg/mile/charter/
 Current list of documents:
 http://datatracker.ietf.org/wg/mile/
–
–
–
–
–
RFC5070-bis
IODEF Enumeration Reference Format
Structured Cybersecurity Information (SCI)
IODEF Guidance
RESTful indicator exchange using IODEF/RID
IODEF:Incident
IODEF Data Model
• Supports Enterprise, CSIRT, and Service
Provider Operations
• Internationalization support
–
–
Various Encodings
Translations
iodef:IncidentID
iodef:AlternativeID
iodef:RelatedActivity
iodef:DetectTime
• Data handling labels
–
–
Sensitivity (includes TLP)
Confidence
• Extensibility of attributes and adding new
elements
• Predicate logic under review in IODEF
Guidance document
• Commonly exchanged indicator data
representation
–
e.g., IP addresses, ports, protocols,
applications, etc.
• Context rich to support indicator and
incident information
–
History and requested actions
• Exploit and vulnerability references
–
Enumeration draft
• Forensics information – is more needed?
iodef:StartTime
iodef:EndTime
iodef:EventData
iodef:Description
iodef:DetectTime
iodef:StartTime
iodef:EndTime
iodef:Contact
iodef:ReportTime
iodef:Assessment
iodef:Assessment
iodef:Method
iodef:Method
iodef:Flow
iodef:Contact
iodef:Expectation
iodef:EventData
iodef:Record
iodef:History
iodef:EventData
iodef:AdditionalData
iodef:AdditionalData
Structured Cybersecurity Information (SCI)
and Enumeration Reference Format drafts
Drafts are in final review stages and will be integrated into IODEF v2
 SCI draft provides consistent extension points for standalone schemas to be embedded in IODEF as extensions.
– Extension points include:
▪
▪
▪
▪
▪
▪
▪
AttackPattern
Vulnerability
Weakness
Platform
EventReport
Verification
Remediation
– Example schemas may include
▪ MMDEF, XCCDF, ACEML, OVAL, etc.
 Enumeration Reference Format draft provides a
consistent format for parsing reference values, such as a
vulnerability number, for example CVE
MILE Incident & Indicator Exchanges
Communication and Searches from Providers & Trusted Entities
Analysis
Center
Sharing Group
ROLIE
RID
Detection
& Security
Systems
Indicator
System
Incident
Mgmt
RFC6545 &
RFC6546
Trusted Entity
Partner, Peer,
Service Provider
Automate exchange ofwatch lists of indicators to address many
use cases such as anti-phishing, DDoS, eCrime, etc.
How Can I help?
 Participate in the IETF MILE working group:
– Meetings are held three times a year
▪ Meeting dates/times can be found at: http://www.ietf.org
▪ Participation can be in person or remote via MeetEcho
▪ All decisions are finalized on the mailing list
– Join MILE@ietf.org mailing list
▪ Participate in an existing thread
▪ Start a thread on any questions based on review of a draft
▪ Start a thread on work to be proposed related to MILE
 Review implementation list:
– http://siis.realmv6.org/implementations/
 Contribute to open source code:
– https://github.com/RSAIntelShare
 Provide feedback on code and associated RFCs and
drafts
Thank you!