draft-ietf-sacm-use-cases-03.txt   draft-ietf-sacm-use-cases-04.txt 
Security Automation and Continuous Monitoring WG D. Waltermire Security Automation and Continuous Monitoring WG D. Waltermire
Internet-Draft NIST Internet-Draft NIST
Intended status: Informational D. Harrington Intended status: Informational D. Harrington
Expires: April 22, 2014 Effective Software Expires: April 24, 2014 Effective Software
October 19, 2013 October 21, 2013
Endpoint Security Posture Assessment - Enterprise Use Cases Endpoint Security Posture Assessment - Enterprise Use Cases
draft-ietf-sacm-use-cases-03 draft-ietf-sacm-use-cases-04
Abstract Abstract
This memo documents a sampling of use cases for securely aggregating This memo documents a sampling of use cases for securely aggregating
configuration and operational data and evaluating that data to configuration and operational data and evaluating that data to
determine an organization's security posture. From these operational determine an organization's security posture. From these operational
use cases, we can derive common functional capabilities and use cases, we can derive common functional capabilities and
requirements to guide development of vendor-neutral, interoperable requirements to guide development of vendor-neutral, interoperable
standards for aggregating and evaluating data relevant to security standards for aggregating and evaluating data relevant to security
posture. posture.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 22, 2014. This Internet-Draft will expire on April 24, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
2.8. Asynchronous Compliance/Vulnerability Assessment at Ice 2.8. Asynchronous Compliance/Vulnerability Assessment at Ice
Station Zebra . . . . . . . . . . . . . . . . . . . . . . 9 Station Zebra . . . . . . . . . . . . . . . . . . . . . . 9
2.9. Vulnerable Endpoint Identification . . . . . . . . . . . 10 2.9. Vulnerable Endpoint Identification . . . . . . . . . . . 10
2.10. Compromised Endpoint Identification . . . . . . . . . . . 10 2.10. Compromised Endpoint Identification . . . . . . . . . . . 10
2.11. Suspicious Endpoint Behavior . . . . . . . . . . . . . . 10 2.11. Suspicious Endpoint Behavior . . . . . . . . . . . . . . 10
2.12. Traditional endpoint assessment with stored results . . . 11 2.12. Traditional endpoint assessment with stored results . . . 11
2.13. NAC/NAP connection with no stored results using an 2.13. NAC/NAP connection with no stored results using an
endpoint evaluator . . . . . . . . . . . . . . . . . . . 11 endpoint evaluator . . . . . . . . . . . . . . . . . . . 11
2.14. NAC/NAP connection with no stored results using a third- 2.14. NAC/NAP connection with no stored results using a third-
party evaluator . . . . . . . . . . . . . . . . . . . . . 11 party evaluator . . . . . . . . . . . . . . . . . . . . . 11
2.15. Repository Interaction . . . . . . . . . . . . . . . . . 12 2.15. Repository Interaction - A Full Assessment . . . . . . . 12
2.16. Others... . . . . . . . . . . . . . . . . . . . . . . . . 12 2.16. Repository Interaction - Filtered Delta Assessment . . . 12
2.17. Direct Human Retrieval of Ancillary Materials. . . . . . 12
2.18. Register with repository for immediate notification of
new security vulnerability content that match a
selection filter. . . . . . . . . . . . . . . . . . . . . 12
2.19. Others... . . . . . . . . . . . . . . . . . . . . . . . . 12
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. -02- to -03- . . . . . . . . . . . . . . . . . . . . . . 13 6.1. -03- to -04- . . . . . . . . . . . . . . . . . . . . . . 13
6.2. -01- to -02- . . . . . . . . . . . . . . . . . . . . . . 13 6.2. -02- to -03- . . . . . . . . . . . . . . . . . . . . . . 13
6.3. -00- to -01- . . . . . . . . . . . . . . . . . . . . . . 14 6.3. -01- to -02- . . . . . . . . . . . . . . . . . . . . . . 14
6.4. draft-waltermire-sacm-use-cases-05 to draft-ietf-sacm- 6.4. -00- to -01- . . . . . . . . . . . . . . . . . . . . . . 14
6.5. draft-waltermire-sacm-use-cases-05 to draft-ietf-sacm-
use-cases-00 . . . . . . . . . . . . . . . . . . . . . . 15 use-cases-00 . . . . . . . . . . . . . . . . . . . . . . 15
6.5. waltermire -04- to -05- . . . . . . . . . . . . . . . . . 15 6.6. waltermire -04- to -05- . . . . . . . . . . . . . . . . . 16
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . 17 7.1. Normative References . . . . . . . . . . . . . . . . . . 17
7.2. Informative References . . . . . . . . . . . . . . . . . 17 7.2. Informative References . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Our goal with this document is to improve our agreement on which Our goal with this document is to improve our agreement on which
problems we're trying to solve. We need to start with short, simple problems we're trying to solve. We need to start with short, simple
problem statements and discuss those by email and in person. Once we problem statements and discuss those by email and in person. Once we
agree on which problems we're trying to solve, we can move on to agree on which problems we're trying to solve, we can move on to
propose various solutions and decide which ones to use. propose various solutions and decide which ones to use.
This document describes example use cases for endpoint posture This document describes example use cases for endpoint posture
skipping to change at page 12, line 10 skipping to change at page 12, line 10
evaluation and returns the results. The Controller completes the evaluation and returns the results. The Controller completes the
original assessment request by returning the results to the NAC/NAP original assessment request by returning the results to the NAC/NAP
broker, which uses them to set the level of network access allowed to broker, which uses them to set the level of network access allowed to
the endpoint. the endpoint.
QUESTION: I edited these from Gunnar's email of 9/11, to try to QUESTION: I edited these from Gunnar's email of 9/11, to try to
reduce the use of "assessment", to focus on collection and reduce the use of "assessment", to focus on collection and
evaluation, and deal with use cases rather than architecture. I am evaluation, and deal with use cases rather than architecture. I am
not sure I got all the concepts properly identified. not sure I got all the concepts properly identified.
2.15. Repository Interaction 2.15. Repository Interaction - A Full Assessment
Additional use cases will be identified as we work through other An auditor at a health care provider needs to know the current
domains. compliance level of his network, including enumeration of known
vulnerabilities, so she initiates a full enterprise-wide assessment.
For each endpoint on the network, after determining its taxonomical
classification, the assessment system queries the content repository
for all materials that apply to that endpoint.
2.16. Others... 2.16. Repository Interaction - Filtered Delta Assessment
Before heading out on a road trip, a rep checks out an iOS tablet
computer from the IT department. Before turning over the laptop the
IT administrator first initiates a quick assessment to see if any new
vulnerabilities that potentially yield remote access or local
privilege escalation have been identified for that device type since
the last time the device had had a full assessment.
2.17. Direct Human Retrieval of Ancillary Materials.
Preceding a HIPAA assessment the local SSO wants to review the HIPAA
regulations to determine which assets do or do not fall under the
regulation. Following the assessment he again queries the content
repository for more information about remediation strategies and
employee training materials.
2.18. Register with repository for immediate notification of new
security vulnerability content that match a selection filter.
Interested in reducing the exposure time to new vulnerabilities and
compliance policy changes, the IT administrator registers with his
subscribed content repository(s) to receive immediate notification of
any changes to the vulnerability and compliance content that apply to
his managed assets. Receipt of notifications trigger an immediate
delta assessment against those assets that potentially match.
2.19. Others...
Additional use cases will be identified as we work through other Additional use cases will be identified as we work through other
domains. domains.
3. IANA Considerations 3. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
4. Security Considerations 4. Security Considerations
This memo documents, for Informational purposes, use cases for This memo documents, for Informational purposes, use cases for
security automation. While it is about security, it does not affect security automation. While it is about security, it does not affect
security. security.
5. Acknowledgements 5. Acknowledgements
skipping to change at page 12, line 46 skipping to change at page 13, line 28
Adam Montville edited early versions of this draft. Adam Montville edited early versions of this draft.
Kathleen Moriarty and Stephen Hanna contributed text describing the Kathleen Moriarty and Stephen Hanna contributed text describing the
scope of the document. scope of the document.
Steve Hanna provided use cases for Search for Signs of Infection, Steve Hanna provided use cases for Search for Signs of Infection,
Remediation and Mitigation, and Endpoint Information Analysis and Remediation and Mitigation, and Endpoint Information Analysis and
Reporting. Reporting.
Gunnar Engelbach provided the use case about Ice Station Zebra. Gunnar Engelbach provided the use case about Ice Station Zebra, and
use cases regarding the content repository.
6. Change Log 6. Change Log
6.1. -02- to -03- 6.1. -03- to -04-
Added four new use cases regarding content repository.
6.2. -02- to -03-
Expanded the workflow description based on ML input. Expanded the workflow description based on ML input.
Changed the ambiguous "assess" to better separate data collection Changed the ambiguous "assess" to better separate data collection
from evaluation. from evaluation.
Added use case for Search for Signs of Infection. Added use case for Search for Signs of Infection.
Added use case for Remediation and Mitigation. Added use case for Remediation and Mitigation.
skipping to change at page 13, line 40 skipping to change at page 14, line 22
third-party evaluator. third-party evaluator.
Added use case for Compromised Endpoint Identification. Added use case for Compromised Endpoint Identification.
Added use case for Suspicious Endpoint Behavior. Added use case for Suspicious Endpoint Behavior.
Added use case for Vulnerable Endpoint Identification. Added use case for Vulnerable Endpoint Identification.
Updated Acknowledgements Updated Acknowledgements
6.2. -01- to -02- 6.3. -01- to -02-
Changed title Changed title
removed section 4, expecting it will be moved into the requirements removed section 4, expecting it will be moved into the requirements
document. document.
removed the list of proposed caabilities from section 3.1 removed the list of proposed caabilities from section 3.1
Added empty sections for Search for Signs of Infection, Remediation Added empty sections for Search for Signs of Infection, Remediation
and Mitigation, and Endpoint Information Analysis and Reporting. and Mitigation, and Endpoint Information Analysis and Reporting.
Removed Requirements Language section and rfc2119 reference. Removed Requirements Language section and rfc2119 reference.
Removed unused references (which ended up being all references). Removed unused references (which ended up being all references).
6.3. -00- to -01- 6.4. -00- to -01-
o Work on this revision has been focused on document content o Work on this revision has been focused on document content
relating primarily to use of asset management data and functions. relating primarily to use of asset management data and functions.
o Made significant updates to section 3 including: o Made significant updates to section 3 including:
* Reworked introductory text. * Reworked introductory text.
* Replaced the single example with multiple use cases that focus * Replaced the single example with multiple use cases that focus
on more discrete uses of asset management data to support on more discrete uses of asset management data to support
skipping to change at page 15, line 5 skipping to change at page 15, line 37
"Deconfliction of Asset Identities". "Deconfliction of Asset Identities".
* Expanded the subsections for: Asset Identification, Asset * Expanded the subsections for: Asset Identification, Asset
Characterization, and Deconfliction of Asset Identities. Characterization, and Deconfliction of Asset Identities.
* Added a new subsection for Asset Targeting. * Added a new subsection for Asset Targeting.
* Moved remaining sections to "Other Unedited Content" for future * Moved remaining sections to "Other Unedited Content" for future
updating. updating.
6.4. draft-waltermire-sacm-use-cases-05 to draft-ietf-sacm-use-cases-00 6.5. draft-waltermire-sacm-use-cases-05 to draft-ietf-sacm-use-cases-00
o Transitioned from individual I/D to WG I/D based on WG consensus o Transitioned from individual I/D to WG I/D based on WG consensus
call. call.
o Fixed a number of spelling errors. Thank you Erik! o Fixed a number of spelling errors. Thank you Erik!
o Added keywords to the front matter. o Added keywords to the front matter.
o Removed the terminology section from the draft. Terms have been o Removed the terminology section from the draft. Terms have been
moved to: draft-dbh-sacm-terminology-00 moved to: draft-dbh-sacm-terminology-00
skipping to change at page 15, line 44 skipping to change at page 16, line 27
is important. is important.
* Added new sections, partially integrated existing content. * Added new sections, partially integrated existing content.
* Additional text is needed in all of the sub-sections. * Additional text is needed in all of the sub-sections.
o Changed "Security Change Management" to "Endpoint Posture Change o Changed "Security Change Management" to "Endpoint Posture Change
Management". Added new skeletal outline sections for future Management". Added new skeletal outline sections for future
updates. updates.
6.5. waltermire -04- to -05- 6.6. waltermire -04- to -05-
o Are we including user activities and behavior in the scope of this o Are we including user activities and behavior in the scope of this
work? That seems to be layer 8 stuff, appropriate to an IDS/IPS work? That seems to be layer 8 stuff, appropriate to an IDS/IPS
application, not Internet stuff. application, not Internet stuff.
o I removed the references to what the WG will do because this o I removed the references to what the WG will do because this
belongs in the charter, not the (potentially long-lived) use cases belongs in the charter, not the (potentially long-lived) use cases
document. I removed mention of charter objectives because the document. I removed mention of charter objectives because the
charter may go through multiple iterations over time; there is a charter may go through multiple iterations over time; there is a
website for hosting the charter; this document is not the correct website for hosting the charter; this document is not the correct
 End of changes. 18 change blocks. 
25 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/