Extended Incident Handling BOF (inch) Monday, August 06 at 1930-2200 =============================== CHAIR: Yuri Demchenko AGENDA: 1. Agenda bashing 2. Relation between IODEF and IDMEF/IDWG 3. IODEF Data Model discussion 4. Incident Handling Workflow and standardisation framework 5. Discussion of problem statement and charter 6. Closing BOF Description: Problem statement Computer Incidents are becoming distributed and International and involve many CSIRTs across borders, languages and cultures. Post-Incident information and statistics exchange is important for future Incident prevention and Internet security improvement. There is also practical need to integrated Computer Security knowledge (e.g., existing Vulnerability and Exposure and Viruses Databases) into Incident Handling Systems used by CSIRTs (Computer Security Incident Response Team). There were numerous attempts to establish cooperation and information exchange between leading/advanced CSIRTs in Europe and among the FIRST community. These CSIRTs understand the advantages of information exchange and cooperation in processing, tracking and investigating security incidents. The key element for information exchange in all these cases is a common format for Incident (Object) description. Background There is ongoing work on development of the Incident Object Description and Exchange Format (IODEF) in the frame of Incident Taxonomy and Description WG at TERENA (http://www.terena.nl/task-forces/tf-csirt/iodef/). The purpose of the IODEF is to define a common data format for the description, archiving and exchange of information about incidents between CSIRTs (including alert, incident in investigation, archiving, statistics, reporting, etc.). Recently published RFC 3067 on IODEF Requirements describes the high-level requirements for such a description and exchange format, including the reasons for those requirements. Another issue that is targeted by developing IODEF is a need to have higher level Incident description and exchange format than will be provided by IDS (Intrusion Detection Systems) and the proposed IDMEF. In this respect, IODEF should be vertically compatible with IDMEF, IODEF might be able to include or reference IDMEF Alert message as an initial information about Incident. A pilot project will start in September where two European CSIRTs will develop modules to use IODEF to exchange incident information between their existing Incident Handling systems. This project will also provide real-world input to finalise the structure and details of the current draft incident data model. IODEF and related issues have been discussed on numerous TF-CSIRT seminars and two IODEF BoF at FIRST12 (2000) and FIRST13 (2001), which demonstrated wide interest from both CSIRT community and Security products companies (Symantec, Para-Protect, etc.) BOF purpose The purpose of this BoF is to consider how the IODEF could be more widely used in future, once the initial pilot implementation has been finalised. The current model is incomplete in the areas relating to vulnerabilities, exposure and viruses. A framework and common standards in these areas would allow future incident handling systems to be integrated with existing databases and registries of these types of information. Another area which might be considered is the features which would be needed to handle evidence data for use in court cases. There is also intention to extend/continue the work of IETF IDWG to the description of incidents as higher-level elements in Network Security. This issue was discussed at the last IDWG meeting at IETF50 and found support from the IDWG, which actually see its future in further development and integration with the IODEF. Mailing list info: Incident Object Description and Exchange Format: iodef@terena.nl To subscribe send this message to majordomo@terena.nl: subscribe iodef your_real_name Mailing List Archive: http://hypermail.terena.nl/iodef-list/mail-archive/