Analysis of Security Automation and Continuous Monitoring (SACM) Use
Cases
draft-waltermire-sacm-use-cases-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Author | David Waltermire | ||
| Last updated | 2012-07-09 | ||
| Replaced by | draft-ietf-sacm-use-cases, RFC 7632 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Stream | WG state | (None) | |
| Document shepherd | (None) | ||
| IESG | IESG state | I-D Exists | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-waltermire-sacm-use-cases-00
Network Working Group D. Waltermire, Ed.
Internet-Draft NIST
Intended status: Informational July 2, 2012
Expires: January 3, 2013
Analysis of Security Automation and Continuous Monitoring (SACM) Use
Cases
draft-waltermire-sacm-use-cases-00
Abstract
This document identifies foundational use cases, derived functional
capabilities and requirements, architectural components, and the
supporting standards needed to define an interoperable, automation
infrastructure required to support timely, accurate and actionable
situational awareness over an organization's IT systems. Automation
tools implementing a continuous monitoring approach will utilize this
infrastructure together with existing and emerging event, incident
and network management standards to provide visibility into the state
of assets, user activities and network behavior. Stakeholders will
be able to use these tools to aggregate and analyze relevant security
and operational data to understand the organizations security
posture, quantify business risk, and make informed decisions that
support organizational objectives while protecting critical
information. Organizations will be able to use these tools to
augment and automate information sharing activities to collaborate
with partners to identify and mitigate threats. Other automation
tools will be able to integrate with these capabilities to enforce
policies based on human decisions to harden systems, prevent misuse
and reduce the overall attack surface.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2013.
Waltermire Expires January 3, 2013 [Page 1]
Internet-Draft SACM Use Cases July 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. UC1: Assessment and Enforcement of Acceptable State . . . 4
3.2. UC2: Behavioral Monitoring and Enforcement . . . . . . . . 5
3.3. UC3: Security Control Verification and Monitoring . . . . 6
3.4. UC4: Secure Exchange of Governance, Risk and
Compliance (GRC) Information . . . . . . . . . . . . . . . 6
3.5. UC5: Automated Forensics Investigation . . . . . . . . . . 7
4. Functional Capabillities . . . . . . . . . . . . . . . . . . . 8
4.1. Functional Capability 1 . . . . . . . . . . . . . . . . . 8
4.2. Functional Capability n . . . . . . . . . . . . . . . . . 8
5. Functional Components . . . . . . . . . . . . . . . . . . . . 8
6. Data Exchange Models and Communications Protocols . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . . 10
Appendix A. Additional Stuff . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10
Waltermire Expires January 3, 2013 [Page 2]
Internet-Draft SACM Use Cases July 2012
1. Introduction
This document addresses foundational use cases in security
automation. Portions of these use cases may be considered when
establishing a charter for the Security Automation and Continuous
Monitoring (SACM) working group within the IETF. This working group
will address a portion of the standards needed to define an
interoperable, automation infrastructure required to support timely,
accurate and actionable situational awareness over an organization's
IT systems. This document enumerates use cases and break down
related concepts that cross many IT security information domains.
Sections [...] of this document focus on:
Defining the key concepts and terminology used within the document
providing a common frame of reference;
Identifying foundational use cases that represent classes of
stakeholders, goals, and usage scenarios;
A set of derived functional capabilities and associated
requirements that are needed to support the use cases;
A break down of architectural components that address one or more
functional capabilities that can be used in various combinations
to support the use cases; and
An inventory of existing, emerging, and needed data exchange
models and communications protocols that are required to support
interoperability between architectural components.
The standards identified in this document provide a foundation for
creating interoperable automation tools and continuous monitoring
solutions that provide visibility into the state of assets, user
activities, and network behavior. Stakeholders will be able to use
these tools to aggregate and analyze relevant security and
operational data to understand the organizations security posture,
quantify business risk, and make informed decisions that support
organizational objectives while protecting critical information.
Organizations will be able to use these tools to augment and automate
information sharing activities to collaborate with partners to
identify and mitigate threats. Other automation tools will be able
to integrate with these capabilities to enforce policies based on
human decisions to harden systems, prevent misuse and reduce the
overall attack surface.
Waltermire Expires January 3, 2013 [Page 3]
Internet-Draft SACM Use Cases July 2012
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Key Concepts
Define/reference the major concepts included in this document.
3. Use Cases
Describe use cases, one per sub-section.
Things to consider including (but not limited to):
o Usage scenarios (e.g. Security Control Verification, Endpoint
Enforcement, Incident Detection, Forensic Investigation, etc.)
o Information Domains (e.g. configuration, vulnerability, digital
events, etc.)
o Characteristics of the information used (e.g. real-time/periodic,
static/dynamic, etc.)
3.1. UC1: Assessment and Enforcement of Acceptable State
Controlling access to networks and services based on the assessment
and analysis of host and/or network state based on machine
processable content.
Possible "things" that are being measured:
o Asset information
o System configuration
o System vulnerabilities
o System weaknesses
o Semi-automated human interrogation methods to assess non-
automatable, technical controls
Possible desired outcomes to address:
Waltermire Expires January 3, 2013 [Page 4]
Internet-Draft SACM Use Cases July 2012
o User/system is allowed access to network resources
o User/system is denied access to network resources
* Potential mitigation actions are taken
Possible other things to address:
o In this and subsequent sections, document how this work is related
to Network Endpoint Assessment (nea) working group.
o Relevant processes, technologies and techniques.
3.2. UC2: Behavioral Monitoring and Enforcement
Controlling access to networks and services based on the detection
and analysis of host and/or user behavior using automatable
information from various sources.
Possible "things" that are being measured:
o System configuration
o System vulnerabilities
o Network events
o User/host behavior
Possible desired outcomes to address:
o Change in state is recorded and reported
o User/system activity is recorded and reported
o User/system access is terminated or altered
Possible other things to address:
o In this and subsequent sections, document how this work is related
to Network Endpoint Assessment (nea) working group.
o Discuss how this could potentially be related to the IP Flow
Information Export (ipfix) working group. Basically leveraging
Netflow to detect network behavior. This information could be
received from what the MILE WG is doing with incident response.
(see UC5 and UC4)
Waltermire Expires January 3, 2013 [Page 5]
Internet-Draft SACM Use Cases July 2012
o Relevant processes, technologies and techniques.
3.3. UC3: Security Control Verification and Monitoring
Continuous assessment of the implementation and effectiveness of
security controls based on machine processable content.
Possible "things" that are being measured:
o Compliance to organizationally defined/required controls
* System configuration
* System vulnerabilities
* Network events
* Semi-automated human interrogation methods to assess non-
technical controls
o Deviations from expected state
Possible desired outcomes to address:
o Compliance or non-compliance is recorded and reported
Possible other things to address:
o Indicate the relationship to UC1 and UC2. These use cases provide
some of that data needed to support this use case.
o Relevant processes, technologies and techniques.
3.4. UC4: Secure Exchange of Governance, Risk and Compliance (GRC)
Information
Sharing security and/or operationally relevant information within and
across trust boundaries using secure, automated communication
channels and formats.
Possible "things" that are being measured:
o ???
Possible desired outcomes to address:
o Combining results from UC1-UC3, a report to an organizational
authority is generated, including relevant data pertaining to the
Waltermire Expires January 3, 2013 [Page 6]
Internet-Draft SACM Use Cases July 2012
user activities, potentially along with the aggregated data from
other user activities.
o Potential sharing of risk and/or threat behavioral information
with partners as well as reference data and content like USGCB,
NVD, IAVM, and machine-readable US-CERT alerts
o Outcome of UC4 informs back through UC1-UC3, such as updates to
policies, adjusted configurations, new patch data, etc.
Possible other things to address:
o Indicate the relationship of this use case to UC3 and UC5. This
use case supports requests for and reporting of information
generated by UC3 and UC5.
o Be sure to incorporate Incident/Security Event Exchange (UC5).
o Document how this use case supports methods to combine data sets
to generate reports that would be shared between parties. This is
a touch point with the MILE GRC-Exchange work. Establish the use
cases for the exchange. In the following sections, discuss
additional work that may be needed to tie these pieces together
o Discuss the use of content repositories in support of information
exchange.
o Relevant processes, technologies and techniques.
3.5. UC5: Automated Forensics Investigation
Remote and/or local collection of organizational, network, and/or
host information for the purpose of incident investigation and
response.
Possible "things" that are being measured:
o Scope and impact of security incident
Possible desired outcomes to address:
o Identify the need for additional data collection from UC1-UC3
based on gaps in information currently collected
o Can be informed by UC4, such as shared risk/threat information
o Alteration to acceptable system state requirements necessary for
UC1-UC2
Waltermire Expires January 3, 2013 [Page 7]
Internet-Draft SACM Use Cases July 2012
o Identify the need for additional or altered controls in UC3
Possible other things to address:
o Relevant processes, technologies and techniques.
4. Functional Capabillities
Decompose the functional capabilities needed to support the use
cases, one per sub-section. Cross reference the use case
dependencies where they exist.
Things to consider including (but not limited to):
o Information Views/Reports (e.g. security posture, compliance,
control effectiveness)
o Data Collection (e.g. configuration state, software inventory,
user and network behavior)
o Reference Information Formats (e.g. control catalogs,
configuration baselines, malware characteristics, vulnerability
data)
4.1. Functional Capability 1
Describe the first capability.
4.2. Functional Capability n
Describe the n capability.
5. Functional Components
Describe the abstract functional components needed to provide the
capabilities described in the previous section. Describe any
relationships between the components and how they can be composed to
address functional capabilities. (this might be better defined in the
previous section.)
Things to consider including (but not limited to):
o Topologies
o Federation Strategy
Waltermire Expires January 3, 2013 [Page 8]
Internet-Draft SACM Use Cases July 2012
6. Data Exchange Models and Communications Protocols
Document where existing work exists, what is currently defined by
SDOs, and any gaps that should be addressed. Point to existing
event, incident and network management standards when available.
Describe emerging efforts that may be used for the creation of new
standards. For gaps provide insight into what would be a good fit
for SACM or another IETF working groups.
This will help us to identify what is needed for SACM to be
successful. This section will help determine which of the
specifications can be normatively referenced and what needs to be
addressed in the IETF. This should help us determine any protocol or
guidance documentation we will need to generate to support the
described use cases.
Things to address:
For IETF related efforts, discuss work in NEA and MILE. Address
SNMP, NetConf and other efforts as needed.
Reference any Security Automation work that is applicable.
7. IANA Considerations
This memo includes no request to IANA.
All drafts are required to have an IANA considerations section (see
the update of RFC 2434 [I-D.narten-iana-considerations-rfc2434bis]
for a guide). If the draft does not require IANA to do anything, the
section contains an explicit statement that this is the case (as
above). If there are no requirements for IANA, the section will be
removed during conversion into an RFC by the RFC Editor.
8. Security Considerations
All drafts are required to have a security considerations section.
See RFC 3552 [RFC3552] for a guide.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Waltermire Expires January 3, 2013 [Page 9]
Internet-Draft SACM Use Cases July 2012
[min_ref] authSurName, authInitials., "Minimal Reference", 2006.
9.2. Informative References
[I-D.narten-iana-considerations-rfc2434bis]
Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs",
draft-narten-iana-considerations-rfc2434bis-09 (work in
progress), March 2008.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
July 2003.
Appendix A. Additional Stuff
This becomes an Appendix if needed.
Author's Address
David Waltermire (editor)
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland 20877
USA
Phone:
Email: david.waltermire@nist.gov
Waltermire Expires January 3, 2013 [Page 10]