Security Automation and Continuous Monitoring Minutes IETF 99 Thursday, July 20, 2017 Morning Session I: 09:30-12:00 1. WG status ============ presenters: chairs, Adam Montville and Karen O'Donoghue slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-chair-slides-01.pdf The chairs summarized the WG status. 2. Agenda bashing ==================== Based on discussion, the agenda was rearranged as follows. 1. WG status – chairs – 5m 2. Hackathon results – David Waltermire 15m 3. Hackathon results - Henk Birkholz 15m 4. Charter Discussion / Way Forward - Chairs/AD - remaining time a. Information Model b. Architecture c. Existing WG drafts d. Existing individual drafts e. Charter f. Milestones 5. Existing Work Disposition/Open Issues (total: 40m) a. SWIMA – Charles Schmidt 15m b. Terminology – Henk Birkholz 15m c. CoSWID - Henk Birkholz 10m 6. ROLIE Software Descriptor Extension - Stephen Banghart - 20m 7. ROLIE Checklist Extension - Bill Munyan - 5m 8. TNC 2.0 Update - Charles Schmidt 15m 2. Hackathon results ==================== presenter: David Waltermire Waltermire presented POC of the Vulnerability Assessment scenario built during the Hackathon. The POC incorporated a variety of existing work in SACM (OVAL, SWIMA, SWID), MILE (ROILE) and others; using open source (Ubuntu, strongTNC) and commercial products (Center for Internet Security CIS-CAT). Use case ** A vendor will release vulnerability bulletin ** An end user of that product needs to inventory their network to identify which systems in their enterprise have that vulnerability Lessons learned: ** Turning vulnerability detection data (a vulnerability bulletin) into an OVAL definition is difficult. ** Difficult to query for the software of interest in the collector service -- need a query API against the data store ** Need a better way to query an enterprise data store for SWIDs -- will propose a new work item to the charter ** SWIDs have file hash information to determine if a file on an endpoint has been modified but challenges remain in understanding if patches have been correctly installed Q: (Roman Danyliw): Can you clarify the (3) lesson learned? A: (David Waltermire): We can only say coarsely if software is installed. To know for sure, we would have to examine the file system. For example, we demonstrated using the package database to know the software inventory of an endpoint, however, there is no way to verify if there is a delta between that and what is installed on the file system. Q: (Frank Xia Lang): If that your demo included work from a variety of WG, do you feel that there is sufficient differentiation across WG groups? A: (David Waltermire): There are likely more gaps than overlaps from this experience. Various close and proprietary interfaces that needed to be used which means there are more opportunities for standardization. There were not a lot of choices for what to use. Q: (Shiwetha Bihangdari): Cisco would be interested in getting the file hash information (per lesson #3) A: (David Waltermire): We'd like to work on this at the IETF 100 Hackathon and invite you to help. Comment: (Henk Birkholz): There is significant related work outside the IETF and software inventory is just one type of data. 3. Hackathon results 2 ====================== presenters: Henk Birholz slides: (used but not uploaded) Explored using a YANG-based approach to demonstrate architecture requirements (G-007, 009, 011, 012, 013, 015). Open source tools were used for this implementation (XMPP-grid server and client; apache kafka, YANG pub-sub client in python). A variety of current YANG models were used in this demonstration. Comment: (Stephen Banghart): It was very interesting to see the application of YANG in SACM. 4. Charter Discussion / Way Forward - Chairs/AD - remaining time presenters: chairs, Adam Montville and Karen O'Donoghue slides: starting at slide 7 of https://www.ietf.org/proceedings/99/slides/slides-99-sacm-chair-slides-01.pdf The WG discussed areas in which to update the charter -- Collection, Evaluation and Messaging. Birkholz, Banghart and Cam-Winget proposed scope. This discussion item came about when the WG got together to figure out which items to work on next based on lessons learned from the hackathon. Given the level of interest in these three items, the WG can likely handle these items in parallel. Collection, slide 8, Henk Birkholz Comment (Henk): We need to know how to collect data and which different data models to support. Q: (Danny Haynes): Just to clarify, this is more general than just YANG? A: (Henk Birkholz): Yes. Q: (David Waltermire): We have two methods of collection, SWIMA and YANG. Should we look at how to orchestrate across collection methods? Is that consistent with your thinking? A: (Henk Birkholz): It is. We need a lightweight orchestration mechanism across collection mechanisms. Comment (Adam Montville): We have many things like WMI, NETCONF, OVAL, etc. A: (David Waltermire): We have different ways to collect from a variety of devices. Evaluation, slide 9, Stephen Banghart Comment: (Stephen Banghart): Evaluation was identified as a standards gap from the hackathon. A language that describes a query/set of software like this software is greater than this or this. Comment: (Shiwetha Bihangdari) Would that also provide known good values? Comment: (Henk Birkholz): Yes. We have things like CoSWID to represent good measurements. These would be vendor supplied. Comment: (David Waltermire): NIST run the NVD which maps a vulnerability to a product. This mapping requires more complication mapping expressions that Banghart is describing. See if product 1.2 and operating system is on the device. We need to describe statements like this and represent VDD. It is also important to note that this solution will be agnostic to the mechanism that collected the data. Comment: (Dan Romanscanu): Given how the language is written, I have concerns about it approaching a formal languages specification and the complexity involved in doing so. Will it be extensible enough for each range of collected attributes? Will you be very specific about what will be included because we don't want it to get too complicated. Comment: (Frank Xia Lang): From this language, what standards work will result for interoperability? What scope do you want to cover with this language? Is it the current SACM work or maybe something beyond that. Comment: (Stephen Banghart): We'd like to see something like OVAL produced since it already does this type of evaluation. It should work for SACM first. If it extends to other WG, all the better. Comment: (Henk Birkholz): This can get very complicated. There is some similarity to I2NF capability model draft for capability information mode. They introduced the ECA model that a rule can be cascaded. John Strassner is a good expert for this and we should talk to him first and not try to reinvent the wheel. Comment (Stephen Banghart): I would like to see how this fills the hackathon gap. Comment (Henk Birkholz): Maybe we should have a virtual interim meeting that includes John. Comment: (Dan Romanscanu): It would be good to have a session with him. We need to separate between what describes the interface and how to do it. Comment (Stephen Banghart): Are you recommending that we have multiple standardization efforts and then pick one? Comment (Dan Romanscanu): No. We should start with the externally exposed layer and then go below. Comment: (Sheila Franklin): Creating a new language and interpreter is significant effort. Perhaps starting with prior work would help. Comment: (Stephen Banghart): We could start with OVAL. Perhaps the text should read that candidate solutions need to be found, new or otherwise. Make it clear that we will look at something. Comment: (Karen O'Donoghue): Let's not edit the text and be clear that a solution needs to be found (not made from scratch). Comment: (Kathleen Moriarty): You would have to really prove that something new is required. We have YANG, OVAL, etc. Something new is not something that I would like to see happen. Messaging, slide 10, Nancy Cam-Winget Comment (Nancy Cam-Winget): Messaging involves control plane capabilities, discovery, and orchestration. I think we have done sufficient work in this area, but, we need to figure out how we discover rules for evaluation, etc. All this work needs to be orchestrated and we need to deal with the timeliness of publish, subscribe, and query. From the data plane, we need to figure out a unified transfer mechanism to query in addition to publish and subscribe. We have a draft that discusses how XMPP applies MILE and we can do something similar for SACM. Comment: (Shiwetha Bihangdari): Is this going to be in the charter text? Would this text preclude a non XMPP protocols? Comment: (Nancy Cam-Winget): Not necessarily. If we use XMPP, we can include other protocols and data models in there. Comment (???): If I wanted to use existing technology would that be ok? Comment (Nancy Cam-Winget): Yes. In the hackathon, we just tried to show the push and pull model. Comment: (Kaarthik Sivakumar): Do you just want to integrate this? Is this defining transport or format? Comment: (Nancy Cam-Winget): This text is trying to demonstrate how XMPP could meet the SACM goals. Comment: (Frank ): You mentioned XMPP-Grid. Data and control plane were mentioned. The data plane appears to already be mentioned in the collection. Comment: (Nancy Cam-Winget): I am not suggesting a single protocol. We could have several. Comment (???): In the SACM work, I am still not clear what we can achieve. Comment (Nancy Cam-Winget): Not quite true. Part of the hackathon exercise, we showed how you can use network infrastructure. Henk provided a draft. We tried to show the applicability XMPP and YANG. Comment (Nancy Cam-Winget):... XMPP could assist in orchestration Comment: (Henk Birkholz): Data/control planes are not competitive. They are chained. Comment: (David Waltermire): For example, XMPP could be used to send something to a ROILE server which could then be made available for download. Q: (Jessica Fitzgerald-McKay): Would part of the messaging effort include defining a data model for messaging? A: (Nancy Cam-Winget): Yes. That would be for messaging people. We need to show how data models fit requirements. Comment: (Henk Birkholz): The new draft contains an experimental, very early data model, but, is a possible answer to your question. (Karen O'Donoghue): Based on this input, we'll revise the charter on the list. Comment: (Shiwetha Bihangdari): I don't see any charter text that points to how to collect known good values. (Karen O'Donoghue): I would like to see us have a narrow scope then move forward with next steps. 5a. SWIMA ========= presenter: Charles Schmidt slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-swima-00.pdf draft: draft-ietf-sacm-nea-swima-patnc-00 Schmidt presented an update to changes made in the SWIMA draft based on document review and implementer feedback. Major changes included updating the title to be correct as well as a few optimizations to the protocol including record location, behavior when reporting an unavailable record, order of attribute fields and lengths, and software identifier algorithm for SWID tags. The update also included minor editorial changes. No comments or feedback were received on the list. Comment: (Stephen Banghart): We used this draft during the Hackathon and did not find any issues. Q: (David Waltermire): Will this be moved to WG last call? Q: (Karen O'Donoghue) How many have read this draft? A couple of people, in the room, raised their hands. Jess mentioned on Jabber that she read the document. Q: (Karen O'Donoghue) Does anyone not think we should move it to WGLC? [no one] 5.b. Terminology ================ presenter: Henk Birkholz slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-terminology-00.pdf draft: draft-ietf-sacm-terminology-13 Birkholz presented an update to changes made in the terminology draft. Slide 2 Comment: (Kathleen Moriarty): TEEP is not yet a working group. Recommend not gating SACM work on them. Comment: (Henk Birkholz): Agreed. Comment: (Kathleen Moriarty): A terminology draft is abnormal and would better received by the IESG in another draft. Is there another document that this could be fit into? It could be an appendix or a terminology section. Comment: (Henk Birkholz): The old architecture would probably be the best place for this. We may end up creating a 100+ page document as well as include terms that exceed the document. Comment: (Kathleen Moriarty): No one reads the terminology document. You just reference it. It doesn't matter where it sits. I don't think it matters if the terminology is informational. Comment: (Stephen Banghart): I'd recommend moving this text into the architecture draft. Comment: (Kathleen Moriarty): I'd recommend waiting to publish the architecture until later so the terminology doesn't need to be updated. 5.c. CoSWID =========== presenter: Henk Birkholz slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-coswid-00.pdf draft: draft-ietf-sacm-coswid-02 Birkholz presented an update to changes made in the COSWID draft. There was one issue mentioned that highlighted a discrepancy between the ISO specification and the XSD. Comment: (Karen O'Donoghue): Regarding the discrepancy, chairs determine consensus. You need to post question and get feedback. Then we will construct a question for consensus. Have people read this draft? A: (Henk Birkholz): Lots of people from ISO and the U.S. Government have read it. Comment (Karen O'Donoghue): We will get more feedback from the list. 6. ROLIE Software Descriptor Extension ====================================== presenter: Stephen Banghart slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-rolie-and-software-extension-00.pdf draft: draft-banghart-sacm-rolie-softwaredescriptor-01 Banghart presented brief overview of ROLIE as well as an update to changes made in the ROILE Software Descriptor Extension draft which is being developed in MILE. 7. ROLIE Checklist Extension ============================ presenter: Bill Munyan slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-rolie-checklist-information-type-00.pdf drafts: draft-mandm-sacm-rolie-configuration-checklist-00 Munyan presented an overview of the draft as well as next steps. Q: (Karen O'Donoghue): Would it be possible to have a new version of the draft before the next virtual interim meeting? A: (Bill Munyan): Yes. Comment: (Stephen Banghart): We could use this update for the IETF 100 Hackathon. We were also thinking of creating a template for creating ROLIE extensions. Comment: David Waltermire): We'd be interested in getting your help making a template. 8. TNC 2.0 Update ================= presenter: Charles Schmidt slides: https://www.ietf.org/proceedings/99/slides/slides-99-sacm-tnc-20-00.pdf Schmidt provided an update on the Trusted Network Communication Architecture v2.0 that will be published imminently. The key thing to note about the TNC 2.0 update is that it emphasizes that TNC is compose-able and you can pick and choose the components that you need. It also clarifies how it aligns with SACM. Specifically, TNC can be used to continuously assess an endpoint rather than just as a comply-to-connect solution. 9. Closing and Way Forward ========== presenters: chairs, Adam Montville and Karen O'Donoghue The chairs noted: ** A successful Hackathon to include the regular planning meeting ** Need more discussion on the mailing list to discuss the charter and work items ** One or two virtual interim meetings will be held before IETF 100 Comment: (Kathleen Moriarty): Please get the charter updated soon. The IESG has noted that the WG is past its expiration. Comment: (Adam Montville): How soon, is soon? Comment: (Kathleen Moriarty): By mid-September would be best. You may also want to remove milestone dates from the charter. WGs do not typically do this. Q: (Karen O'Donoghue): Would you prefer to see the charter narrowed to 3-5 documents? A: (Kathleen Moriarty): We should tie that to the WG. Comment: (Adam Montville): We can rely on the work item people to refine their text and work on the list over the next couple of weeks. Comment: (Karen O'Donoghue): Yes, updating elements of the charter can happen sooner. Comment: (Adam Montville): Thank you everyone for you work at the hackathon. Comment: (Kathleen Moriarty): Yes, this is a very positive thing for the WG.