Minutes for SACM at interim-2014-sacm-2
minutes-interim-2014-sacm-2-1
| Meeting Minutes | Security Automation and Continuous Monitoring (sacm) WG | |
|---|---|---|
| Date and time | 2014-04-30 07:00 | |
| Title | Minutes for SACM at interim-2014-sacm-2 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2014-04-30 |
minutes-interim-2014-sacm-2-1
Reported By: Blake Frantz and Joshua Lubell
Editorialized By: Adam Montville
Present:
Adam Montville
Brian Ford
Blake Frantz
Dan Romascanu
Dave Waltermire
Danny Hanyes
Jarrett Lu
Jim Bieda
Jon Baker
Josh Lubell
Kathleen Moriarty
Lisa Lorenzin
Luiz Nunez
Matt Hansbury
Nancy Cam-Winget
Take
Trevor Freeman
WG Status: Dan Romascanu
- Milestones are not progressing as planned.
- Red - Initial submission for protocol or data format for
retrieving configuration and policy info. - Red - Initial
submission for protocol or data format for collecting endpoint
posture ID. - Group will negotiate new milestone dates with
Area Director
- Way Forward
- Red - Requirements Update Submitted
- Red - Adopt Requirements ID
- Merge Requirements?
- DanR indicated merging requirements and architecture docs may
be best. - DaveW agrees we should consider merging requirements
and architecture doc, but only after there is consensus on the
architecture.
Note: the above agreement to combine drafts was changed
later in the meeting.
Terminology: Nancy Cam-Winget
- The following updates were made in SACM terminology draft 03:
- Removed dangling terms
- Added pre-defined terms to section 2.1 and 2.2
- Added RFC 3444 as informative reference
- Posture and Posture Attributes
There was a discussion with respect to "posture attribute" vs.
"posture". A "posture attribute" is a single property of an
observed state, and there is a differentiation between states
that are "explicitly observable" versus those that are "derived
by inference" (i.e. infected by malware). There was some
preference for terminology that supports both the state of that
which is explicitly observable and that which is derived. For
example, anti-virus is enabled given the observed state of a
particualr Windows registry key. Updates will be made to the
terminology draft and confirmed on the list.
- Contention on terms such as: misconfiguration, compliant,
vulnerability, remediation, etc
The discussion around these "upleveled" terms concluded with
the general agreement to remove them and keep terms not of the
"art" as those with which we are concerned. The terms
"remediate", "compliant", "vulenrability", and other terms of
art will be removed from the terminology draft and more generic
terms, such as "correct" and "mismatch" will be considered when
necessary. This is in part due to the fact that when expected
state does not equal the collected state, it could represent a
misconfiguration, a vulnerability, or a compliance issue. But,
all are a "mismatch".
- Linking SACM terminology to MILE, OpenIOC, and STIX (or others):
This was a brief discussion ending in a deferral until we see
information models which may be the best source of discovering
such links.
Use Cases: David Waltermire
The latest revision (-07) was updated two days prior to the interim and
addressed all of the open issues and the draft is quite stable. The
major changes in -07 were an update to section 2.1.2 and an elimination
of section 2.1.5 by merging it with 2.1.4. There was some concern
posted to the list after the update and before the interm about the
term "proprietary attributes" as used in the use case draft. The
concern is that the term may not be "vendor neutral". The group agreed
that the goal is a framework that can be modularized and extended and
agreed to change "proprietary attributes" to "extended attributes".
The use case document is ready for WGLC as proposed by Dan Romascanu
and agreed to by Nancy Cam-Winget, Jim Biedu, Dave Waltermire, and Adam
Montville.
Requirements: Nancy Cam-Winget
Requirements draft updates have not been progressing as fast as
planned, and an informal editorial meeting will be arranged at some
point over the next several weeks to improve progress, particularly for
architecture-related work.
Use case elaboration will be "flipped" with requirement descriptions
for readability (i.e. lead with requirements and then explain link to
use cases).
The group discussed testability of requirements based on a list-posed
question. We discussed what level of testability we're looking for and
ultimately arrived at the general agreement that we're looking for more
specific requirements that can be tested in terms of architectures
meeting the requirements. Specifically, Lisa Lorenzin posited three
levels for extensibility, as an example:
1. "Must be extensible" - more abstract
2. "Must have extensible transport protocols, query languages,
etc." - more specific 3. "Must be extensible in the specific
operations of transport, query language, etc." - even more
specific
There was general agreement that we should focus on the details around
the second level rather than on those of the more abstract or more
detailed levels. Lisa agreed to contriubte language to this effect in
the requirements document. Others are encouraged to contriubte as well.
The requirements, as written, will likely result in more than just one
"information model" I-D.
Additional questions were discussed around use of the term
"asynchronous" especially as it is used in REQ-007 of -03 of the
requirements draft. Again, an update to the draft will be made to
clarify the meaning of synchronous and asynchronous, especially as it
pertains to REQ-006 and REQ-007 of the requirements draft.
Participation in this update is welcomed.
A similar disucssion ensued pertaining to G-008 of the requirements
draft, which was centered around use of the term "role" and it's tight
association with RBAC. We also agreed to move G-007 (authorization)
from requirements to Security Considerations.
Nearer the end of the meeting, the group agreed that pulling the
architecture description out of the requirements draft is needed.
TNC Architecture: Lisa Lorenzin
Trusted Network Connect - developed by Trusted Computing Group.
Specific details can be found in the TNC slide presentation and also in
the contributed I-D draft-shah-sacm-tnc-architecture-00. Lisa had to
move quickly through the architecture description due to time
constraints and fielded a couple of questions. Discussion will
continue on the list.
Call for Contributions: Dan Romascanu
Dan discussed state of Call for contributions and pointed out that he
added ISO/IEC JTC1 SC7, SC27, and TCG to addressees. The suggestion
for being more specific with the call for contribution was addressed
and determined to be left as-is.
Way Forward:
- Avoid Serialization
- New Milestones:
- 2014-04-30 – Use Case WGLC
- 2014-05-25 – Requirements Update Submitted
- 2014-05-25 - Terminology Update
- 2014-05-25 - Architecture I-D Submitted
- 2014-06-15 – Adopt Requirements I-D
- 2014-06-30 – Adopt Architecture I-D
- 2014-07-04 – Initial Submissions for the Information Model
- Interim meeting to be held last week of May / 1st week of June