IETF Logo Mail Archive

Re: [Cacao] Updated Charter version 03

Bret Jordan <jordan.ietf@gmail.com> Sun, 10 March 2019 21:50 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A63812894E for <cacao@ietfa.amsl.com>; Sun, 10 Mar 2019 14:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LELOO7M7t0MX for <cacao@ietfa.amsl.com>; Sun, 10 Mar 2019 14:50:23 -0700 (PDT)
Received: from mail-yw1-xc2c.google.com (mail-yw1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B784128D7A for <cacao@ietf.org>; Sun, 10 Mar 2019 14:50:21 -0700 (PDT)
Received: by mail-yw1-xc2c.google.com with SMTP id z191so2336450ywa.6 for <cacao@ietf.org>; Sun, 10 Mar 2019 14:50:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5byXkFoIG1ARgbaE3baVTY8bnk45GgXRImZ53bBqFic=; b=j4ZRjDpc6fajuGgH7Wio8p6UQRSa/IJozd92BnHGIWi9qScPPqENPg62KB/qgxPcE2 JkGYu8qbNpbGJgJv//WGUoGZmcTh6AXRwT/p/5iMjhApxgVP4DVaahdFhByCT17HHrAQ kxa2PjEnXvgCdthfZ8Lvx4t/nAogzxms+RuOc3QoqTv8M1lcvA4CikCQMnDnBjm2Kyb6 uHNPWMNn6XYNUIBGu1cK+hNCkghaRUUKrLZQx7vTp6AoTWcIqrGnnrpYPPT98gHAIOlk n3be4kLMhqcr+lMihjhaXcw8AIXvyLn/CjPcJD7Yv/8OgogssFJLcjY8T0lpb8X2SETw fhZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5byXkFoIG1ARgbaE3baVTY8bnk45GgXRImZ53bBqFic=; b=idkHmddm4Zjrn6sRmAT0Rj9bDb9SxZCdAYaQB4ckWZXvr+1wLEjenAU9y2LoDIweHc HBzY7qv+bmJ5gHkHlIghrJl9pA/2VkIPM1NF7sKGfNeNUpV+FtZl+j5zXGLxhADNcGRF S+/smmBz3Jk9v+nYpRLlTRpUGv4gIVT96UhICP9xN0B8eUuc9M3awSGFScppPnhq+Per RI9qbs0xoHAwJuYzqTO7XFj8ksmHSJgngD3lTLWbJejshJpBt59CwbLRIrqCd3yLcN4R FtcivWygIowooU0l6KKU3dINsjyP7aRxIkhBF1zaabHISo5yy7cNFS6kKl0RBjG1lHG5 cSkw==
X-Gm-Message-State: APjAAAVpyRuvKMjg/6P/FN6xMuZmRhJ4ULEwKo8kuvxEZBofWJzB0kWl 8/eR/4FV8PJSat52F7hd/PI=
X-Google-Smtp-Source: APXvYqzjby8cKi8OB5+cV4DPbTxocyhi7S3TvjkzFzyv+Ht0Eb93urHG5OqOCCUJvQuVZ+J+OuqMzA==
X-Received: by 2002:a81:5510:: with SMTP id j16mr2228125ywb.321.1552254620183; Sun, 10 Mar 2019 14:50:20 -0700 (PDT)
Received: from ?IPv6:2605:a601:a028:986:e1b8:3f8a:8a43:d372? ([2605:a601:a028:986:e1b8:3f8a:8a43:d372]) by smtp.gmail.com with ESMTPSA id k184sm1531615ywa.85.2019.03.10.14.50.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Mar 2019 14:50:19 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <7B409541-B46D-452C-A3E8-C46CC981F798@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_059546DE-37F2-4CEA-A57B-0B4824040619"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Sun, 10 Mar 2019 15:50:16 -0600
In-Reply-To: <AFE9DA48-DA60-4B87-B74E-342BDE97C7F2@lookingglasscyber.com>
Cc: Qin Wu <bill.wu@huawei.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "cacao@ietf.org" <cacao@ietf.org>, JACQUENET Christian TGI/OLN <christian.jacquenet@orange.com>
To: Allan Thomson <athomson@lookingglasscyber.com>
References: <B8F9A780D330094D99AF023C5877DABA9B2CB3E8@nkgeml513-mbx.china.huawei.com> <AFE9DA48-DA60-4B87-B74E-342BDE97C7F2@lookingglasscyber.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/I4Wm6NamRDhWYWV2F8-JBazU224>
Subject: Re: [Cacao] Updated Charter version 03
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2019 21:50:27 -0000

All,

Thanks for your comments.  Let me try and summarize things from my standpoint.  

1) This work is a very ambitious effort that requires that we try and implement and automate what is done today with playbooks in a SoC so that we can have a positive impact on cyber defense. 

2) Playbooks for cyber defense are in active use in nearly every modern SoC today. Yes, playbooks and run books are used for other things out side of the cyber domain, but from my standpoint, those other domains are out-of-scope for this project. So physical security, threat actor behavior, IT process, etc are all out of scope. 

3) I would hope that we could crawl, walk, jog, and then run.  Meaning, I would like to get a basic JSON data model in place within the next 6-9 months and start working on vendor integrations. If we try and boil the ocean and do everything in the first version of the standard, the industry will just pass us by and do their own thing.  We have a very narrow window to standardize this effort either here in the IETF or in another SDO.  If we miss this opportunity, then cyber defense will be stuck with multiple solutions that do not enable interoperability or rapid scalable defense. This means we will once again take a back seat to threat actors and intrusion sets.  So let's please try and avoid word-smithing things to death and bike shedding this work to prevent it from being successful.  Ask yourself, what do you fundamentally need for your SoC to make this work?  If you are a vendor, what do you need to make this integrate with your solutions?

4) I know some here in the IETF have a hard time with the term “cyber”.  But it is a real thing and very well understood in the industry. To put that in context there is about 180 Billion dollars a year spent on cyber defense and millions of individuals that work in the space. 

5) Yes, some technologies or concepts span between both cyber and physical security, but for the sake of this work, we are limiting this to cyber and not dealing with physical security.  For example data security and its child information security can span both cyber and physical security.  But we are only focused on the playbooks that are needed today for cyber defense. How organizations deal with physical security and what they do to ensure that does not need to be automated in vendor tools to respond at the time scale of threat actors and intrusion sets.


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

v2.23.0 | Report a Bug | By Email