SACM BoF -- Security Automation and Continuous Monitoring Tuesday morning BoF Chairs: Kathleen Moriarty & Dan Romascanu Minutes taken by Paul Hoffman & Steve Hanna Note: text from slides not reproduced Intro by Kathleen Work started by US govt, but want to transition to the IETF to develop with a broader perspective to meet the needs of the global community Discussion on Use Cases -- draft-waltermire-sacm-use-cases-02 Adam Montville Basic desire is to minimize loss Mostly focused on security controls from security frameworks What we're doing matches a typical control framework Focused on "continuous monitoring" Lots of different roles for the people in this domain Three basic use cases System state assessment Enforcement of state assessment for acceptability Continuous verification State assessment also involves comparison of current values to policy Might use different external content repository Asset identification and classification and discovery and classification Gene(Jim?) Golovinsky: Is the goal to define languages? Adam: We will need to do all of those, but scope is not fully known Enforcement of accepted state Compliance is a range, not only a binary state Security control verification and monitoring Defining assessment triggers: not as well defined Need to define protocols and data interfaces Some are already defined by other organizations Charts with requirements of what the work needs We already have many of the items, but definitely not all Sean Mullen: Can this be simplified? Adam: That's the purpose of the WG Internationally, there are lots of requirements, the US has a smaller set of requirements Need to figure out what to focus on Dave Waltermire: Use case 1 is foundation of the other use cases Gene: Does this apply to virtual devices? Adam: Mobile devices and virtual devices are assets Mike Boyle: Networking equipment and routers are assets? Adam: Yes Presentations on drafts to support Use cases Asset Identification Draft -- draft-montville-sacm-asset-identification-00 Adam Montville Translation of a NIST document into IETF format Might need to specify "this hardware device" Sean: Is NIST planning to stop publishing specs and throw it to the IETF? Dave: Yes. Just IT assets, including "information" Might want to do more than identify assets Also characterize Dave: Relationships association an asset with a property Assets are nouns and relationships between them are verbs. Mike: What are scanners? Adam: Conceptual thing that hasn't been Eric Vincke: Why is this IPv4-specific? Adam: The draft needs work You should support IPv6 and multiple IP addresses per endpoint. Alan Dekok: What about knowing where the thing is? Is more concerned about that than ownership. How does this overlap with IFMAP? Adam: There is a lot of overlap. Sean M: Who puts in all that detail? Can it be automated? Adam: Yes. Dave: Data can be added from a variety of sources. Part of the use case is to address the IFMAP types. Nancy Cam-Winget: Is this only for IP-based assets? Adam: No. We already have person assets Continuous Assessment Protocol Draft -- draft-hanna-sacm-assessment-protocols Steve Hanna Shows the NEA reference model Layered architecture These are already standardized NEA were originally developed by the Trusted Computing Group as TNC Has multiple transports EAP good for wireless access points) TLS transport good for when you have an IP address TNC now has "SCAP messages for IF-M" SCAP can be used for SACM Sean Turner asked "What are IF-M and SCAP? How do they relate?" Steve explained that IF-M is the TCG's name for PA-TNC. SCAP is a suite of standards that can be carried over IF-M. Assets Summary Reporting -- draft-davidson-sacm-asr-00 Dave Waltermire "Pages" are sections of rows Supports pagination Carries structured data for use case 1 Can help validate the tables Rich Struse: Patterns are useful for other languages? Dave: Yes Sean M: How does the database get populated? Dave: Could be a data gathering exercise Wants to work with both SACM and MILE for use cases If the IETF takes this over, NIST would stop working on it. Content Repository Protocols -- draft-waltermire-content-repository Dave Waltermire Content is largely being distributed in ad hoc methods This causes it hard to reuse content Lots of requirements that are typical for databases Useful across many IETF efforts (and others) Might be combined with ROLIE in MILE Kent Landfield: Vendors are not as interested in silos and thus content repository is needed Will be co-editor So will SeanM Allan (?): Is this also for service providers? Dave: Yes Scale is needed in an SP environment. Dave: Needs to hear requirements Steve: Notes that the charter is limited to enterprise Alan: Wants more about security Audit-ability needed, both for access and changes Vulnerability Model -- draft-booth-sacm-vuln-model-00.txt Dave Waltermire Pluggable model for scoring CPE is owned by NIST, CVSS is published by FIRST Feedback and Discussions JSON might be used as future Allan: Does "state" mean current or over time? Adam: Could mean both Allan: Would make content repository very large Dave: Things like IFMAP can be used with this, but don't have to be part of it Steve: "Security automation" means different things to different people We need to make a clear local definition Tony Rutkowski: All answers to tough questions is "emphatic yes" Good group of people here 3GPP has group called SECAM doing this today Gene: Leaving service providers out of the discussion is so last century Steve: IETF is the right place for this work, with TCG having some role Narrowing down the use cases to the three in the current document is essential IFMAP is adjacent to this space, and is not core to our use cases Set aside real-time dynamic effort Sean M: Supports this work Content feeds need to be consumable and produceable by all devices Sean Turner: concerned about whether product vendors are willing to have us assess their devices. He's interested in knowing which specifications are owned by which owners and whether those owners are willing to donate the specifications to IETF and let us have change control. For the content repository, we should consider using existing application protocols. And he pointed out that there are privacy concerns for service provider use cases. Paul: Need to think about which area in the IETF would take this Kathleen: Supports the work and the need for service provider Other places reference the NIST documents, but aren't necessarily doing the work Kent: described the letter that 15 vendors sent to the U.S. Government agencies that control the SCAP specifications and the positive response that was received. Sean Mullen: Open Group security forum very much supports this Will help with this effort We're too splintered Steve: TCG has been supportive Hannes Tschofenig: Asked about operators again Rich Struse: said that DHS is generally supportive of this effort but that there is no firm commitment to donate specs. No specific groups or dates Mike Boyle: Same for NSA Asset ID is a small add-on to NEA Some can be done in MILE Would TCG want to hand off IF-MAP Steve: Not the right time, are working on a major revision Tim Polk: NIST and maybe NSA said the time was right to transfer to an SDO Industry must pick which SDO to give to Rich Struse: Is not aware of any letter that was in specific response to letter that Kent sent Mike Boyle: Same as Tim Wants to be sure that there is also buy-in outside the SCAP community Has a bit more confidence from this session Danny McPherson: If the IETF is a natural place for this, that would be fine Doesn't want to constrain this to other people's view of security assessment Tough Questions: Dan Romascanu brought up the Tough Questions slide and started running some consensus checks using hums. Do we understand the problem space ~ 80 / 20, Dan reported a consensus for Yes. Do we need standards 100 in favor reported by Dan. Is the IETF the right place ~ 90 / 10, Dan reported strong consensus for Yes. Is a new WG the right place to do part of the work ~ 80 / 20, Dan reported a rough consensus for Yes. Barbara Fraser: Wants more about problem space first Danny: supports this Allan: supports this Ask what's wrong with current tools How many people are interested to actively work on this? Active contribute as editors: ~ 10 Active reviewers: 17-20 Charter review and scope of work Sean Turner: We should focus on protocol more than schema Sean Mullen: Enterprises wants to have policy at high descriptive level Adam M: We started bottom up, but we want to also do top down and meet in the middle Kathleen M: We don't need to take in all the current work that has been done Danny M: We have a lot of specifying without knowing the problem space and use case Dave W: Our first task is figure out the overall approach Steve H: Need an architecture and use cases before we figure out what goes into each phase. Having ways to layer the content on top of NEA should be in Phase 1 Nancy C-W: Really helpful to know architecture and our dependencies Steve H: Fine line between data format and schemas; should be in this WG *Scope & Charter* There seemed to be general agreement that we need to get architecture and requirements early on. Then we can figure out what we need to do first. We'll discuss this on the list.