1 / 11

Use Cases Status Report and Open Questions

Security Automation and Continuous Monitoring WG. Use Cases Status Report and Open Questions. David Waltermire IETF SACM Virtual Interim Meeting – Dec 17, 2013. Use Cases Document.

Download Presentation

Use Cases Status Report and Open Questions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Automation and Continuous Monitoring WG Use Cases Status ReportandOpen Questions David Waltermire IETF SACM Virtual Interim Meeting – Dec 17, 2013

  2. Use Cases Document • This document provides a sampling of use cases and usage scenarios for collecting, aggregating, and assessing data to determine an organization's security posture. • From use cases, we can derive common functional networking capabilities and requirements for IETF-related standards. • The scope of this document is limited to Enterprise Security Posture Assessment . Later documents can address other scopes. • Existing IETF technologies might be suitable to address some of these functions and requirements. SACM WG

  3. Use Cases Status -05- • Moved existing use cases to a subsection titled "Usage Scenarios". • Added a new subsection titled "Use Cases" to describe the common use cases and associated building blocks used to address the "Usage Scenarios". • The new use cases are: • Define, Publish, Query and Retrieve Content • Endpoint Identification and Assessment Planning • Endpoint Posture Attribute Value Collection • Posture Evaluation • Mining the Database SACM WG

  4. Use Cases Status -05- (Cont’d) • Consolidated many of the usage scenarios: • Automated Checklist Verification has been updated to include: • Organizational Software Policy Compliance • Search for Signs of Infection • Vulnerable Endpoint Identification • Compromised Endpoint Identification • Suspicious Endpoint Behavior • Traditional endpoint assessment with stored results • NAC/NAP connection with no stored results using an endpoint evaluator • NAC/NAP connection with no stored results using a third-party evaluator SACM WG

  5. Use Cases Status -05- (Cont’d) • Consolidated many of the usage scenarios (Cont’d): • Created new usage scenario “Identification and Retrieval of Repository Content” by merging: • Repository Interaction - A Full Assessment • Repository Interaction - Filtered Delta Assessment • Renamed "Register with repository for immediate notification of new security vulnerability content that match a selection filter" to "Content Change Detection" and generalized the description to be neutral to implementation approach • Removed out-of-scope usage scenarios: • Remediation and Mitigation • Direct Human Retrieval of Ancillary Materials. • For each usage scenario, added a listing of building blocks used SACM WG

  6. General issues • Ambiguity in the term “content” • Examples: • Policies? • Collected operational data? • Specification of a desired configuration? • Configuration information? • Status? • Any combination of the above? • What is the path forward? • Single vs multiple terms? • Add to terminology draft? • How incorporate into the current text? Need specific feedback (e.g., sections, sentences) SACM WG

  7. General issues (Cont’d) • Specification of actors: • Suggested use of: End User, Operator, Administrator, Application (e.g., Analysis Application, Acquisition Application), and System. • History (from Ira): • RFC 2567 (Design Goals for IPP ) uses END-USER, OPERATOR, ADMINISTRATOR; all is all caps • RFC 2904 (AAA Framework) Actor roles are titlecase. • RFC 3997 (IPP Get-Notifications) uses Job-Submitting End User, Administrator, Operator • History (from DBH): • RFC 3411 (SNMP Architecture) doesn’t use them much, but when used they are in lower case. • RFC 4741 (NETCONF) uses application in lowercase; they use administrator in lowercase. They don’t use end-point or operator. • RFC 5209 (NEA Overview) uses application, administrator, operator in lowercase, except one use of “Enterprise Administrator”.They don’t use end-user. • What is the path forward? • What set of actors should we consider? • Add to terminology draft? • How incorporate into the current text? Need specific feedback (e.g., sections, sentences) SACM WG

  8. Review open questions • Review questions/comments in the current draft SACM WG

  9. Homework • Are terms from the terminology draft consistently used? • Are there terms that should be added to the terminology draft? For example: • Assessment, trigger, metadata • Others? SACM WG

  10. Shifting focus to Requirements • Goal of use cases is to get user feedback and to have use cases that will drive requirements. • Now we need to start extracting requirements wish-list. • Are these 5 use cases and 7 usage scenarios adequate for driving requirements? SACM WG

  11. Questions? SACM WG

More Related