The Nature and Utility of Standards Organizations for the Intrusion Detection Community
(minutes available HTML)

Panel Chair

Rowena Chester
(Chair NCITS (ANSI) T4 Committee; Information Technology Security Techniques)

Participants

Dick Brackney
(NSA)
Mike Erlinger
(Harvey Mudd College, CIDF)
Roger French
(Compaq)
Walter Fumy
(Chair ISO SC27)
Larry Nelson
(AT&T)
Vern Paxson
(LBNL)

Biographies

Rowena Chester: Rowena currently serves as the Chair of NCITS (ANSI) T4, IT Security. She received her Ph.D. in solid state physics and electrical engineering at the University of Tennessee, where she is a Professor of electrical engineering. Prior to this she worked for the Oak Ridge National Laboratory for more than 35 years. While at ORNL she served in several IT security related positions, including IT security program manager and corporate rep. to T4. She has authored numerous papers on IT security and related topics, including two textbooks.
Richard Brackney: Richard Brackney is a Manager within the INFOSEC Reseach Organization at the National Security Agency. He is responsible for a number of new research initiatives in support of Defensive Information Operations as well as the long range planning for this new area of research. In this role, he coordinates with several other US Government Agencies to include DARPA and DISA. Richard is a National Security Agency representatives to T4 and initiated the SC27 intrusion detection framework project.
Mike Erlinger: Mike Erlinger is a full professor in the computer science department at Harvey Mudd College and a part time researcher with The Aerospace Corporation. For the past 8 years most of his research efforts have centered on network management, in particular SNMP related management. He was the founding chair of the IETF RMON Working Group, which produced the RMON MIB specifications. His current research involves integrating intrusion detection and network management tools. Mike is a member of the DARPA-sponsored CIDF project at UC Davis. Mike is also Co-chair of the IDS Working Group in IETF.
Walter Fumy: Walter Fumy received his Ph.D. in computer science from the University of Erlangen, Germany. Since 1986 he has been employed at Siemens AG where his work involves cryptographic research and security consulting. Walter has been active for many years in the standardization of security techniques. He has served as editor of several ISO/IEC standards, vice-chairman of ETSI TC Security. Walter currently serves as Chairman of ISO/IEC JTC 1/SC 27 "IT Security Techniques". He has also published numerous papers in the field of ICT security as well as books on cryptography and on security standards and patents.
Roger French: Roger is Manager of the Security Program Office in Compaq. He is actively involved in a number of standards activities of interest to Compaq. He serves as Chairman of ECMA TC 36, IT Security. He is on the Board of Directors of the Key Recovery Alliance. He is Chairman of Frameworks Committee, of the TACDFIPSFKMI (Attend the panel discussion for the translation). Roger is the Compaq Rep. to T4.
Larry Nelson: Larry received his Ph.D. in mathematics with emphasis in computer science from Ohio State. He has worked in the AT&T National Information Systems, Information Security Center for more than 15 years. Larry serves on the USA President's National Security Telecommunications Advisory Committee in the Information Infrastructure Group. Larry represents AT&T on the American Bar Association Information Security Committee. He helped write the ABA Digital Signature Guidelines. He is the AT&T Rep. to T4.
Vern Paxson: A short biography is available here

Abstract (see also the minutes)

The panel was structured to address questions of interest to the Intrusion Detection Community. General Questions: What are standards? What is their general value? Why should the intrusion detection community be interested? What do these standards organizations really do? How does an R&D person participate in the standards process?

ISO SC27 Questions:
What is ISO SC27? What is the process for developing an ISO standard? How is input obtained for SC27 projects? How and when should a developer start interacting with ISO? Who are the national contacts to advise and assist developers in pursuing ISO SC27 standards?
ISO SC27 Intrusion Detection Project Questions:
What is the status of the SC27 Intrusion Detection Project? What results can be expected from this project? When can results be expected from this project?
IETF Questions:
What is IETF? What is the process for developing an IETF standard? How is input obtained for IETF activities? How and when should a developer start interacting with IETF? ? Who are the national contacts to advise and assist developers in pursuing interactions with IETF? Are there IETF activities that relate to intrusion detection? What are the objectives and status of these activities? What are typical time scales to be expected in interactions with IETF?
CIDF Project:
Description of the experiences of an intrusion detection project with one or more standards bodies and the lessons learned. Description and evaluation of the interactions will be discussed. What could CIDF have been done differently to improve the interactions? How could the standards bodies improve their interaction with developers.
Related Questions:
Why does a multinational commercial organization like Compaq strongly support standardization? What happens during the standardization process from a corporate point of view? Why does a USA government sponsor of intrusion detection R&D support the development of intrusion detection standards?
The Financial Services Community (TC68) Questions:
What is TC68? What is the relationship between TC68, ISO SC27 and IETF? What role does the financial services community envision for intrusion detection? What particular regulatory and oversight considerations constrain standardization by the financial services community? What is the role of standards when members of the financial services community select systems for deployment. This topic has not been adressed during the panel but, to know more, you can take a look at this presentation in HTML format or also available as a PowerPoint document

Panel Summary

by Tom Daniels, Don Tobin, and Lorenzo Valeri

Panel Chair Rowena Chester introduced the session by thanking the workshop sponsors and introducing the the panel members and their affiliations. The workshop was sponsored by IBM Emergency Response Service and The Joint Research Centre of the EC (Institute for Systems, Informatics and Safety). The other panelist, in order of their presentations, were Walter Fumy of ISO SC 27, Vern Paxson of the IETF, Mike Erlinger of the IETF IDS Working Group, Roger French of Compaq, and Richard Brackney of the NSA.

Rowena Chester's Opening Presentation
(slides available HTML or PowerPoint)

Rowena Chester made the initial remarks by highlighting the main characteristics of a standardization process. She described writing a standard as a consensus building process similar to writing a refereed academic paper. Rowena continued by describing the members of standards committees, the effects of standards on research and commerce, and the reasons for many different standards organizations,

To clarify the process of creating a standard, Rowena compared the standards process to writing a journal article. The first step is to collaborate with colleagues to build consensus around the proposed topic and the goal of the initiative. An initial document is then drafted and submitted to other members of the standardization working group. After further revision and review, the standard is ready to be published.

Rowena also made the point that standards writing is not solely a technical exercise. Interactions between people must be considered as well. There is conflict between the agendas of different committee members and parliamentary maneuvering to be considered. Furthermore, the majority of people working on standards committees are volunteers who "work for the love of the job." Often committee members must balance their work outside the committee with their standards work.

Dr. Chester claims that standards do not restrict or drive research. Usually, a good deal of research and development has been done before standardization occurs. She then contrasted this with the case of commerce where standards have a definite impact by both restricting some non-standard commercial deployment and driving commercial development of standard compliant products.

Rowena explained that there are many different standards organizations for two basic reasons. One reason is that different organizations often have different interests. The second reason is that two standards organization may have a different focus on similar interests. These organizations reduce duplication of effort by both formal interaction and less formal actions where the same person may contribute to both organizations.

The standards writing process takes a long time. Nevertheless, the final reward is extremely gratifying. Consequently, Rowena Chester suggested two ways of participating to this process. At first, researchers should team up with someone in the organization whose job is to interact with the various standards organizations. The second possibility is to undertake this effort yourself by allocating the necessary time. Rowena Chester, however, alerts that "half-time for 18 months may not be enough".

Walter Fumy, ISO SC 27
(slides available HTML or PowerPoint)

Dr. Fumy began by introducing the International Organization for Standardization (ISO) and SC 27. ISO is a federation of national standards bodies such as ANSI, BSI, and DIN. It currently comprises 124 member countries and about 3000 technical bodies. ISO has published more than 11,000 standards.
SC 27 is an ISO subcommittee on "Security Techniques." SC 27 has 21 full participating member and 12 observing members.

Walter continued by outlining the standardization process. In SC 27, a standard goes through several stages of peer review beginning with new project and study period. A working draft is then written and revised until it becomes a committee draft. The committee draft is reviewed and revised until it is passed as a draft international standard. At this point, no further comments are accepted. Upon approval, the draft becomes an international standard which is reviewed every 5 years. Underscoring Rowena Chester's earlier comment about the time involved in creating a standard, Dr. Fumy pointed out that the average time to develop a standard was around 5 years. He also pointed out that there was an alternative "Fast Track" for an existing standard to become an international standard.

Dr. Fumy then commented on the scope of SC 27. SC 27 has the job of standardizing "generic IT security services and techniques". This includes determination of requirements for information system security services, development of techniques and mechanisms for security, creation of guidelines and management support standards. It also encompasses standards for evaluation and certification of the security of information systems.
Notably excluded is the embedding of security mechanisms in applications.

Walter then outlined the organization of SC 27. SC 27 is made up of 3 working groups. Working Group 1 focuses on requirements, security services, and guidelines. Group 2 works on security techniques and mechanisms. Working Group 3 works on security evaluation criteria.

Dr. Fumy concluded by mentioning the committee's productivity and listing recent standards, standards in preparation, and areas in which work is beginning.

List of contact point is available in an HTML format or as a Word document

Vern Paxson
(slides available PDF or PS)

Vern Paxson presented an overview of the Inter Engineering Task Force (IETF). He summarized how the IETF works, described its components, and described the types of documents produced by IETF.

IETF is composed of its participants which are individuals, not companies. It is a very open organization in that anyone who wants to join the organization may do so simply by asking. The IETF has 3 week-long meetings per year, but most of the work is done by interaction on IETF's 100 or more mailing lists.

IETF participants work in working groups (WG). WG's develop technical specifications and are guided by a Chairperson. Area Directors (AD) supervise related WG's and resolve disputes among WG's. The AD's form the Internet Engine Steering Group (IESG). Additionally, the Internet Architecture Board (IAB) provide architectural oversight and advice.

Documents published by the IETF are all publicly available. Internet drafts are working documents and have a lifetime of 6 months. Because they are working documents, they should not be cited. Informational Request for Comments (RFC's) are purely descriptive and may be developed by a WG or individually. Experimental RFC's are similar to informational RFC's except that they may eventually progress onto the standards track. Best Current Practices RFC's describe IETF procedures and undergo an IETF "last call" before acceptance. Finally, Proposed, Draft, and Full Standard RFC's must be approved by an IETF-wide "last call" for acceptance. Interoperable implementations are required to progress to a draft standard RFC.

Vern also stated some things that IETF does not do. IETF does not do research, develop policy, develop standards which fall in the scope of other standards bodies, develop standards which fail to address security, or develop standards that threaten network stability or contort the Internet architecture.

In closing, Vern gave some advice about starting a new WG. First, you need the support of an Area Director and then he or she tells you what to do from there. WG's must also be careful about intellectual property rights. Security Area Directors are Marcus Leech and Jeff Schiller.

Mike Erlinger

Mike Erlinger presented a description of the standards work regarding the Common Intrusion Detection Framework (CIDF) project started by DARPA. Mike quickly described the general goals of the CIDF project and went into more depth to describe the integration of the CIDF project into an IETF WG.

CIDF is a project to facilitate interoperability of intrusion detection systems (IDS) started at the behest of DARPA in 1997. CIDF follows and open consensus process with about 10 to 15 technically active participants. It includes participation from industry, academia, and government, but it is still mostly funded by DARPA. Most interaction is via a mailing list with meeting scheduled for 4 to 6 times per year.

The CIDF charter specifies activities and limits upon those activities in order to maintain the scope of the work. It specifies milestones in order to measure the progress of the CIDF initiative. It also outlines goals such as documents (RFC's) and implementations.

In order to measure interest, CIDF held a Birds of a Feather (BOF) meeting at the Spring '98 IETF Meeting. The BOF showed large community interest, but presented the current CIDF solution--not the problem. In the summer of 1998, a WG charter along with an Area Director was created. In December 1998, the first IETF meeting that includes the IDS WG will be held.

Mike's experience is that the CIDF work will become the early prototype for the IDS WG. He suspects that the WG will have slower progress, but arrive at a better result with wider application. He also points out that "consensus is hard" in this area.

Roger French
(slides available HTML or PowerPoint)

Roger French of Compaq Computer Corporation presented an industry view of standards and the standardization process. He discussed why companies should build to standards, why investment in the standardization process is worthwhile, and what options a company has regarding standards.

Roger explained that building products to standards had several advantages. First, customers demand products which conform to standards. Secondly, standard products appeal to large parts of the market. Developing to standards also tends to reduce a company's risk, investment, prices, and even their time-to-market.

To explain why investment in the standardization process is worthwhile, Roger broke the topic down into three areas: input to the standardization process, the mechanism of the process, and what companies gain from the process. Companies bring ideas and insight into how they do business to the standards process. They do this in order to protect not only their investment, but also that of their customers.

Roger pointed out that during the standards process old standards are re-evaluated, and new alternatives are discovered and discussed. This tends to foster a deeper view of the standards and their repercussions.

Roger also said that companies bring important information for their future out of standards processes. Companies get better estimates of future technologies. Companies also get the opinions of experts working in the group.

In conclusion, Roger French stated that even after the standards process a company still has several options. A company can "ignore existing standards, live with the existing standards, or help create the new standards."

Richard Brackney
(slides available HTML or PowerPoint)

Richard Brackney presented a view of IDS standards from the NSA perspective. He first outlined his view of the importance of standards for interoperability. Secondly, he discussed the government's long-term view about research.

He sees standards that allow for integration of IDS into other security components as being very difficult but worthwhile. Ideally, an IDS would be fully interoperable with network management, other IDS, logging services, and response mechanisms. Richard points out that current systems are ad-hoc and that they don't interact well. Integrating these systems are important due to the governments need for interacting heterogeneous systems.

Richard sees government research as long-term as in the range of 3 to 6 years. It is also focused on technology transfer. Government is heavily involved in standards development and considers it research in some ways.

Panel Conclusion

Having exhausted the time available for the panel, there was no time for questions from the audience. Rowena Chester thanked the panelist for their time and effort.

Intrusion Detection in the Large
(minutes available PDF or PS)

Panel Chair

Deborah Frincke
(University of Idaho)

Participants

Karl Levitt
(UC Davis, USA)
Michel Miqueu
(CNES)
Jean-Jacques Quisquater
(Université Catholique de Louvain, Belgium)
Marc Wilikens
(Institute for Systems, Informatics and Safety)
Kevin Ziese
(Cisco/Wheelgroup)

Biographies

Deborah A. Frincke: A short biography is available here
Michel Miqueu: Michel Miqueu is head of ITSec Department at CNES (French Space Agency) and has been involved in defining, enforcing and reviewing CNES internal ITSec policies. He was a member of the steering committee of intrusion detection project Hyperview.
Marc Wilikens: A short biography is available here
Kevin Ziese: A short biography is available here

Abstract

In the last two decades computing has evolved from mainframe systems on limited point-to-point networks, to local area networks, to enterprise networks spanning states and including tens of thousands of hosts, to wide-scale client-server networks with mobile agents and international scope. IDS systems, which first began to appear in the last decade, have at best the capability to monitor individual systems or local networks. What�s needed is IDS that is effective in a very large, heterogeneous, and highly dynamic environment. The IDS solutions that have been defined for single hosts and local networks generally do not scale into networks of tens (or hundreds) of thousands of systems. This panel is intended to promote discussion of key issues associated intrusion detection in wide-scale distributed systems, and to conclude by tying the issues raised to areas in need of research

Questions for the panelists:

What is the affect of scale on the effectiveness of current IDS? How do the tools currently being fielded work in such an environment? ? What can be done now? What cannot be done now? What should be done?
What are the requirements? Secure gateways? Secure internal machines? Is a global security policy needed (and how likely is that)? It appears that different users (companies) have very different requirements. It also appears most of the users (companies) have no idea of the requirements. So, the question is how to define requirements?
Where are the threats? External? Internal? Downloading executable code segments (Active-X control, etc.)? Viruses (should virus detection be part of ID?)? Is there a trust model that defines violations as threats?
In there a need for automated response to detected threats? Assuming that one has a mechanism for accurately identifying threats and determining an appropriate action (might be a large assumption!), how should one implement that action on a wide scale in a timely fashion? How can one coordinate response activities within the network?
Single tool/technology sufficient? Do we need an ID standard? Can one vendor/tool satisfy all the requirements? If not, how are different ID tools deployed? Do they work together?
What should be the deployment strategy? How to get started? Where first? Who to work with? (External and internal, users? administrators? policy makers? vendors?) Order of deployment? Commercial tools?
How to measure effectiveness? Against what criteria? Data volume? False-positive/false-negative? Difficulty in correlation of data? User/administrator acceptance?
How do IDS fit into overall network management?
If an intruder is successful in subverting portions of a large-scale network and/or the associated intrusion detection system, are there ways (survivability, fault tolerance) to maintain the integrity of the whole?

The Nature and Utility of Standards Organizations for the Intrusion Detection Community (minutes available HTML)

Abstract (see also the minutes)

Panel Summary

Rowena Chester's Opening Presentation (slides available HTML or PowerPoint)

Walter Fumy, ISO SC 27 (slides available HTML or PowerPoint)

Vern Paxson (slides available PDF or PS)