110 likes | 212 Vues
Security Automation and Continuous Monitoring WG. Use Cases Status Report and Open Questions. David Waltermire IETF SACM Virtual Interim Meeting – Dec 17, 2013. Use Cases Document.
E N D
Security Automation and Continuous Monitoring WG Use Cases Status ReportandOpen Questions David Waltermire IETF SACM Virtual Interim Meeting – Dec 17, 2013
Use Cases Document • This document provides a sampling of use cases and usage scenarios for collecting, aggregating, and assessing data to determine an organization's security posture. • From use cases, we can derive common functional networking capabilities and requirements for IETF-related standards. • The scope of this document is limited to Enterprise Security Posture Assessment . Later documents can address other scopes. • Existing IETF technologies might be suitable to address some of these functions and requirements. SACM WG
Use Cases Status -05- • Moved existing use cases to a subsection titled "Usage Scenarios". • Added a new subsection titled "Use Cases" to describe the common use cases and associated building blocks used to address the "Usage Scenarios". • The new use cases are: • Define, Publish, Query and Retrieve Content • Endpoint Identification and Assessment Planning • Endpoint Posture Attribute Value Collection • Posture Evaluation • Mining the Database SACM WG
Use Cases Status -05- (Cont’d) • Consolidated many of the usage scenarios: • Automated Checklist Verification has been updated to include: • Organizational Software Policy Compliance • Search for Signs of Infection • Vulnerable Endpoint Identification • Compromised Endpoint Identification • Suspicious Endpoint Behavior • Traditional endpoint assessment with stored results • NAC/NAP connection with no stored results using an endpoint evaluator • NAC/NAP connection with no stored results using a third-party evaluator SACM WG
Use Cases Status -05- (Cont’d) • Consolidated many of the usage scenarios (Cont’d): • Created new usage scenario “Identification and Retrieval of Repository Content” by merging: • Repository Interaction - A Full Assessment • Repository Interaction - Filtered Delta Assessment • Renamed "Register with repository for immediate notification of new security vulnerability content that match a selection filter" to "Content Change Detection" and generalized the description to be neutral to implementation approach • Removed out-of-scope usage scenarios: • Remediation and Mitigation • Direct Human Retrieval of Ancillary Materials. • For each usage scenario, added a listing of building blocks used SACM WG
General issues • Ambiguity in the term “content” • Examples: • Policies? • Collected operational data? • Specification of a desired configuration? • Configuration information? • Status? • Any combination of the above? • What is the path forward? • Single vs multiple terms? • Add to terminology draft? • How incorporate into the current text? Need specific feedback (e.g., sections, sentences) SACM WG
General issues (Cont’d) • Specification of actors: • Suggested use of: End User, Operator, Administrator, Application (e.g., Analysis Application, Acquisition Application), and System. • History (from Ira): • RFC 2567 (Design Goals for IPP ) uses END-USER, OPERATOR, ADMINISTRATOR; all is all caps • RFC 2904 (AAA Framework) Actor roles are titlecase. • RFC 3997 (IPP Get-Notifications) uses Job-Submitting End User, Administrator, Operator • History (from DBH): • RFC 3411 (SNMP Architecture) doesn’t use them much, but when used they are in lower case. • RFC 4741 (NETCONF) uses application in lowercase; they use administrator in lowercase. They don’t use end-point or operator. • RFC 5209 (NEA Overview) uses application, administrator, operator in lowercase, except one use of “Enterprise Administrator”.They don’t use end-user. • What is the path forward? • What set of actors should we consider? • Add to terminology draft? • How incorporate into the current text? Need specific feedback (e.g., sections, sentences) SACM WG
Review open questions • Review questions/comments in the current draft SACM WG
Homework • Are terms from the terminology draft consistently used? • Are there terms that should be added to the terminology draft? For example: • Assessment, trigger, metadata • Others? SACM WG
Shifting focus to Requirements • Goal of use cases is to get user feedback and to have use cases that will drive requirements. • Now we need to start extracting requirements wish-list. • Are these 5 use cases and 7 usage scenarios adequate for driving requirements? SACM WG
Questions? SACM WG