IETF Logo Mail Archive

[sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue #4 - Processing Vulnerability Description Information

"Haynes, Dan" <dhaynes@mitre.org> Wed, 18 May 2016 11:49 UTC

Return-Path: <dhaynes@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E6012D0EA for <sacm@ietfa.amsl.com>; Wed, 18 May 2016 04:49:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.625
X-Spam-Level:
X-Spam-Status: No, score=-5.625 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dws3t7oUk1sE for <sacm@ietfa.amsl.com>; Wed, 18 May 2016 04:49:52 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 14BB012D110 for <sacm@ietf.org>; Wed, 18 May 2016 04:49:51 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 99D166C01BD for <sacm@ietf.org>; Wed, 18 May 2016 07:49:50 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 86EE26C0167 for <sacm@ietf.org>; Wed, 18 May 2016 07:49:50 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Wed, 18 May 2016 07:49:50 -0400
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Wed, 18 May 2016 07:49:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AK1cIQSTR0MfO/hGrvc6Bo8s2bBqIevUENggJJpguRc=; b=Oj/d4sUit+C8rt+gWtYVfcLlSd1cYnCc+8YH/AIrI7VEsnE5UnBnA3NFG54rDNdFqlwfc0snmYMoJ6sBLMXmMU3E8j5UxTjhR7P8NcVEfSX2er9xw4Ybm9aHhsHo6TCGxQqoz5kv5GyljVhPsXrovf+VNW+iiJJY8+RFjKbCkQc=
Received: from BY2PR09MB1078.namprd09.prod.outlook.com (10.166.116.10) by BY2PR09MB1077.namprd09.prod.outlook.com (10.166.116.9) with Microsoft SMTP Server (TLS) id 15.1.497.12; Wed, 18 May 2016 11:49:48 +0000
Received: from BY2PR09MB1078.namprd09.prod.outlook.com ([10.166.116.10]) by BY2PR09MB1078.namprd09.prod.outlook.com ([10.166.116.10]) with mapi id 15.01.0497.019; Wed, 18 May 2016 11:49:48 +0000
From: "Haynes, Dan" <dhaynes@mitre.org>
To: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: FOR REVIEW: Vulnerability Assessment Scenario Issue #4 - Processing Vulnerability Description Information
Thread-Index: AdGw9u3Oq/kUu95ZSDejLasK2T+NEg==
Date: Wed, 18 May 2016 11:49:48 +0000
Message-ID: <BY2PR09MB10783B47DD473E171E6AD5C7A5490@BY2PR09MB1078.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=mitre.org;
x-originating-ip: [192.160.51.87]
x-ms-office365-filtering-correlation-id: faec1dc6-3da5-4457-2b59-08d37f1283a2
x-microsoft-exchange-diagnostics: 1; BY2PR09MB1077; 5:BS4UCQWRWULLbfSnp+KAQ16X0yCNI5g0TQjn2ZwdxRvo6IVl/FRmggOuc4WUhBPAKkrndYW4cR1tfzISBJhH/KCRg7Tpp/WAlD/L6U1nM02r1iYWUQlPSD0XAh9vKovx+H9rzlXy69j1s8QEoJoqLQ==; 24:+Da5zHwDtgBC/t1DfTY6dbfnvJ0TbyZdQXWObdsKjZDspakVZtqm3RHNVN8fwzFWeh0MGW0p1vt8XZUs5KEbmLrqSBW+xB0vCSB7OesXpIo=; 7:TqNDAG8vgQvS4gC7TLRkkLQL1PcMC8a0dtIWPrxNbpCBu1d8tmvR9kAhzSiGv+8d5iXaFAIKn8lAzF6yfvuCQ5T+Y96d/bBe6ChXcApcEve9C80pk0pJxHiOblA3rAkzF9YzAguPoN5T43w62ljaWkwsVXlySSYgXFY9QQdW1z35fwab13CdyUcvSt6I+jhR
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB1077;
x-microsoft-antispam-prvs: <BY2PR09MB1077CD0FE806E12B0764082DA5490@BY2PR09MB1077.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BY2PR09MB1077; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB1077;
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(478694002)(5383002)(19300405004)(87936001)(5008740100001)(8676002)(5004730100002)(102836003)(6116002)(790700001)(1220700001)(15975445007)(81166006)(3660700001)(1730700003)(3846002)(107886002)(189998001)(110136002)(3280700002)(74316001)(11100500001)(77096005)(2900100001)(5003600100002)(76576001)(16236675004)(86362001)(19625215002)(2906002)(586003)(54356999)(5002640100001)(50986999)(9686002)(8936002)(450100001)(19617315012)(5640700001)(5630700001)(122556002)(92566002)(68736007)(229853001)(2501003)(19580395003)(33656002)(2351001)(66066001)(10400500002)(99286002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB1077; H:BY2PR09MB1078.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR09MB10783B47DD473E171E6AD5C7A5490BY2PR09MB1078namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2016 11:49:48.2078 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB1077
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/sacm/egkY0IHx7NRILhGdzA58bgVtH0o>
Subject: [sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue #4 - Processing Vulnerability Description Information
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 11:49:57 -0000

During yesterday's virtual interim meeting, we discussed various open issues with respect to the Vulnerability Assessment Scenario [1] as a result of feedback that we received on the draft which you can see here [2][3].  The slide's from the meeting can be found here [4].

The fourth issue was around the use of about the processing of vulnerability description information.  Specifically, is the assumption that an enterprise receives vulnerability description information and processes it into a format usable by security tools the same as saying vulnerability description information can be processed into vulnerability detection data?  Furthermore, is this processing related to the assumption that an enterprise has a means of extracting endpoint information into a form that is compatible with the vulnerability description information?

At the meeting, this issue was mostly covered during the discussion around clarifying the definition of vulnerability detection data and the fact there seemed to be agreement around vulnerability detection data representing the instructions generated from the vulnerability description information that can then be used by enterprise security tools.  However, it was noted that we should make sure that the processing of vulnerability description information into vulnerability detection data is covered in the assumptions for the scenario.  Looking at the Vulnerability Assessment Scenario, I believe that this assumption is covered in the first bullet of the "Assumptions" section which states:

"The document begins with the assumption that the enterprise has received vulnerability description data, and that the data has
already been processed into a format that the enterprise's security software tools can understand and use.  In particular, this
document:

      *  Does not discuss how the enterprise identifies potentially
         relevant vulnerability description data.

      *  Does not discuss how the enterprise collects the vulnerability
         description data.

      *  Does not discuss how the enterprise assesses the authenticity
         of the vulnerability description data.

      *  Does not discuss parsing of the vulnerability description data
         into a usable format."

As a result, I think the way forward on this issue is to update the definition of "vulnerability detection data" to make it clear it is the format used by an enterprise's security tools as well as update references to a format that can be used by enterprise tool's to "vulnerability detection data".  We should probably also update the assumption that "The enterprise has a means of extracting relevant information about enterprise endpoints in a form that is compatible with the vulnerability description information" to "...that is compatible with the vulnerability detection data" since security tools will be leveraging vulnerability detection data to carry out assessments.

Does this seem like a reasonable approach for this issue?  Is there anything that I am missing?  If you have any thoughts on this issue, please provide feedback by May 31st.  We are planning to have an updated version of the scenario for June 8th.

Thanks,

Danny

[1] https://datatracker.ietf.org/doc/draft-coffin-sacm-vuln-scenario/
[2] https://github.com/sacmwg/vulnerability-scenario/pull/3
[3] https://www.ietf.org/mail-archive/web/sacm/current/msg03958.html
[4] https://datatracker.ietf.org/doc/slides-interim-2016-sacm-3-1/ (looks like the slides are not available just yet, but, I suspect they should be soon)

v2.23.0 | Report a Bug | By Email