Internet Engineering Task Force T. Takahashi, Ed.
Internet-Draft Y. Kadobayashi, Ed.
Intended status: Informational NICT
Expires: April 21, 2011 October 18, 2010
Cybersecurity Information Exchange Framework
draft-takahashi-cybex-intro-00
Abstract
The cybersecurity information exchange framework, known as CYBEX, is
currently undergoing its first iteration of standardization efforts
within ITU-T. The framework describes how cybersecurity information
is exchanged between cybersecurity entities on a global scale and how
the exchange is assured. This framework is intended to facilitate
cybersecurity entities to work together beyond national and/or
organizational boundaries.
Currently, ITU-T Draft Recommendation X.1500 defines the framework.
The editors designated for the progress of the Draft Recommendation
are (in alphabetical order): Inette Furey (DHS), Youki Kadobayashi
(NICT), Bob Martin (MITRE), Angela Mckay (Microsoft), Stephen
Adegbite (FIRST), Damir Rajnovic (FIRST), Gavin Reid (Cisco), Tony
Rutkowski (Yaana), Gregg Schudel (Cisco).
On behalf of ITU-T Q.4/17, this draft introduces the overview of
CYBEX in the IETF.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2011.
Takahashi & Kadobayashi Expires April 21, 2011 [Page 1]
Internet-Draft Abbreviated Title October 2010
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions used in this document . . . . . . . . . . . . . . . 3
3. Overview of Cybersecurity Information Exchange Framework . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . . 6
Appendix A. Additional Stuff . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
Takahashi & Kadobayashi Expires April 21, 2011 [Page 2]
Internet-Draft Abbreviated Title October 2010
1. Introduction
In the Internet, sources of threats cross borders of countries and
even continents. Countermeasures against these cybersecurity
threats, however, are most frequently implemented by individual
organizations in isolation. Consequently, an organization in one
country may be attacked by malware whose countermeasures are already
known and implemented within another organization in another country.
Such incidents occur due to the lack of sharing of information among
organizations. One of the biggest factors preventing organizations
from sharing information with each other is the absence of a globally
common format and framework for cybersecurity information exchange.
Albeit some countries such as the United States possess domestic
standards for approaching this problem, most other countries have no
such standards. Another such factor is the absence of assured
information exchange framework, without which no organization will
exchange information.
To cope with this problem, ITU-T is now building an emerging standard
- The Cybersecurity Information Exchange Framework (CYBEX). CYBEX
provides a globally common format and framework for assured
cybersecurity information exchange, which will eventually minimize
the disparity of cybersecurity information availability on a global
scale. Since cybersecurity information can be shared worldwide, no
country or organization implementing CYBEX will be left behind in
terms of its availability. Consequently, developing countries, which
currently have fewer resources to put towards cybersecurity, can
become equal partners with developed countries with appropriate
investments. Therefore countermeasures will be implemented through
global collaboration. The framework will also advance the
development of automating cybersecurity information exchange. Most
cybersecurity information exchange within organizations are not
currently automated and depend largely on human intervention. Email,
telephone calls and even faceto- face meetings are still the primary
method for information exchange. The need for and reliance on human
interaction consumes a great deal of time. By advancing automation
of cybersecurity information exchange, the costs (e.g., personnel
costs) within each organization will be significantly reduced and the
operation will be more efficient. At the same time, human-operation-
based mistakes such as miscommunication can be avoided; thus the
quality of operations can be improved.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Takahashi & Kadobayashi Expires April 21, 2011 [Page 3]
Internet-Draft Abbreviated Title October 2010
3. Overview of Cybersecurity Information Exchange Framework
CYBEX focuses on cybersecurity information exchange between
cybersecurity organizations. Cybersecurity information is
information required for cybersecurity operations such as on a
vulnerability, and a cybersecurity organization is an organization
running cybersecurity operations such as CSIRTs of countries and
private companies. How to acquire/use cybersecurity information is
outside the scope of CYBEX.
Considering the cybersecurity information life cycle, we observed
that five functional blocks are needed for CYBEX: Information
Description, Information Discovery, Information Query, Information
Assurance and Information Transport, as are shown in Figure 1. The
Information Description block structures cybersecurity information
for exchange purposes, the Information Discovery block identifies and
discovers cybersecurity information and entities, the Information
Query block requests and responds with cybersecurity information, the
Information Assurance block ensures the validity of the information,
and Information Transport block exchanges cybersecurity information
over networks.
+-------------------------------+
| Information Description block |
+-------------------------------+
| Information Discovery block |
+-------------------------------+
| Information Query block |
+-------------------------------+
| Information Assurance block |
+-------------------------------+
| Information Transport block |
|_______________________________|
Five functional blocks of CYBEX
Figure 1
Each functional block consists of assorted specifications as are
shown in Table 1. As can be seen, one important characteristics of
CYBEX is that this de jure standard is based on current de facto
standards, and that by creating CYBEX in cooperation with the
creators of each de facto standards we can increase the utility and
compatibility of CYBEX with these standards, so users will be able to
use CYBEX seamlessly with available products, making CYBEX more
practical and deployable.
Takahashi & Kadobayashi Expires April 21, 2011 [Page 4]
Internet-Draft Abbreviated Title October 2010
+-------------+-----------------------------------------------------+
| Functional | CYBEX family specifications |
| blocks | |
+-------------+-----------------------------------------------------+
| Description | CPE, CCE, CVE, CWE, CAPEC, MAEC, CVSS, CWSS, OVAL, |
| | XCCDF, ARF, IODEF, CEE, TS102232, TS102667, |
| | TS23.271, RFC3924, EDRM, X.dexf, X.pfoc |
| Discovery | X.cybex.1, X.cybex-disc |
| Query | X.chirp |
| Assurance | EVCERT, TS102042 V2.0, X.eaa |
| Transport | TS102232-1, X.cybex-tp, X.cybex-beep |
+-------------+-----------------------------------------------------+
Table 1: CYBEX family specifications
Each of the functional blocks are elaborated on in the following
subsections.
Further details are available at [ACMCCR_CYBEX].
4. IANA Considerations
This memo includes no request to IANA.
5. Security Considerations
This paper introduced CYBEX, a new cybersecurity standard that will
be finalized in December 2010. CYBEX provides a framework for
assured cybersecurity information exchange between cybersecurity
entities and minimizes the disparity of cybersecurity information
availability among cybersecurity entities. The challenge is finding
a means of permitting wide usage of CYBEX. Without global and
widespread usage, CYBEX will not be able to provide its true value or
contribute to cybersecurity. In order to advance cybersecurity, the
effectiveness of CYBEX needs to be globally and widely recognized.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Takahashi & Kadobayashi Expires April 21, 2011 [Page 5]
Internet-Draft Abbreviated Title October 2010
6.2. Informative References
[ACMCCR_CYBEX]
Rutkowski, A., Kadobayashi, Y., Furey, I., Rajnovic, D.,
Martin, R., Takahashi, T., Schultz, C., Reid, G., Schudel,
G., Hird, M., and S. Adegbite, "CYBEX - the Cybersecurity
Information Exchange Framework (X.1500)", ACM SIGCOMM
Computer Communication Review, Volume 40, Number 5,
October 2010.
Appendix A. Additional Stuff
This becomes an Appendix.
Authors' Addresses
Takeshi Takahash (editor)
NICT
4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795
Japan
Phone: +81 80 3490 2971
Email: takeshi_takahashi@nict.go.jp
Youki Kadobayashi (editor)
NICT
4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795
Japan
Email: youki-k@is.aist-nara.ac.jp
Takahashi & Kadobayashi Expires April 21, 2011 [Page 6]