IETF Logo Mail Archive

Re: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)

"Haynes, Dan" <dhaynes@mitre.org> Fri, 19 May 2017 13:13 UTC

Return-Path: <dhaynes@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B06812EBE7 for <sacm@ietfa.amsl.com>; Fri, 19 May 2017 06:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIVNoOPgLvLP for <sacm@ietfa.amsl.com>; Fri, 19 May 2017 06:13:17 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id A5DD212EA53 for <sacm@ietf.org>; Fri, 19 May 2017 06:07:08 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3BAD46C04A3; Fri, 19 May 2017 09:07:24 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 259E76C04A6; Fri, 19 May 2017 09:07:24 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 09:07:07 -0400
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Fri, 19 May 2017 09:07:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2YdD6aStDZ7OF19+kQNpSvCMzdCYAe5aYBuLwuH6uLs=; b=LiFRJmrkds2H/zDtMnAXsqixcm3qtID6xlhf5r5n45P3SJrGAuLJmqHZR1O4bP0U91B0/T8Z5oJKMRGQdme4RV720B1T6Q94mmTWfYhC9TSNurNq7kyVc0+MYZGiz3NrS3vOwJW+qPNBH+FUVO5mpgy6u2gV2o9XDbDv6+tYmnE=
Received: from DM5PR09MB1354.namprd09.prod.outlook.com (10.172.38.135) by DM5PR09MB1356.namprd09.prod.outlook.com (10.172.39.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14; Fri, 19 May 2017 13:07:01 +0000
Received: from DM5PR09MB1354.namprd09.prod.outlook.com ([10.172.38.135]) by DM5PR09MB1354.namprd09.prod.outlook.com ([10.172.38.135]) with mapi id 15.01.1101.019; Fri, 19 May 2017 13:07:00 +0000
From: "Haynes, Dan" <dhaynes@mitre.org>
To: Adam Montville <adam.w.montville@gmail.com>, Jerome Athias <jerome.athias@protonmail.com>
CC: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)
Thread-Index: AQHSw42MKW8cblClSU+yNLHG1MLueaHiMGmAgADk/QCAFamlcIAAT/QAgAKrbHA=
Date: Fri, 19 May 2017 13:07:00 +0000
Message-ID: <DM5PR09MB1354DE08127393031FFC9F86A5E50@DM5PR09MB1354.namprd09.prod.outlook.com>
References: <CACknUNUNhCCV8LRDpjEm1SvgwpLq+NEEDbc3LOPYzMyRbmfy9w@mail.gmail.com> <CACknUNXtxuHKcO35vzNR79m--UfNP4E5tRMSFr=WXJpbdQOCrw@mail.gmail.com> <CACknUNW9A0dttxjzAymS0CqN3eF7z63GyCecnn4y6QMUcpgt3g@mail.gmail.com> <iFofHfKOzZW3sMvsW6tHUfYfKDFhsCCGQRNwrebcrYJ3xzGcxK4p-2EYUTVnZgD9VjwIqqWGlpqreM0LVVMVy3QTq9Pc6PXAyxQLgOX5kSU=@protonmail.com> <CACknUNXFNPu+SRbGwP0zdr-GQQ8fvyFkfq-E2sMC2uKM1tVOpA@mail.gmail.com> <DM5PR09MB13549D43EE6B18208C39FCF6A5E70@DM5PR09MB1354.namprd09.prod.outlook.com> <CACknUNW7+y6c93y5UNgEVs69sdf6PK7rRpHw-F7GhFanZCFXFQ@mail.gmail.com>
In-Reply-To: <CACknUNW7+y6c93y5UNgEVs69sdf6PK7rRpHw-F7GhFanZCFXFQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dhaynes@mitre.org;
x-originating-ip: [192.160.51.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR09MB1356; 7:pKiFy6RsbABi7sHe7hefTg5uPgVYCpx1iQOrLBj60Xu7XJ3PMOpSQ8S11Mh8YUJzHbdg5rw4PomWXJSZAewcytdExedSxrMg4BCmB/UzLL01nidX955BntNJ/3OfLZfbx2CV0ecrff8+jIjV8zyoTHWV2RODNTANi5Nm0k0hDy1reWUmh7dmM1+MYaHQc/XsLHHnlBc787eo7phLJirLT+YrE0Vhj7D9eO9UpPaWJ6csHbda69YK7BqipRy37CbbV+b+VXCejZbV9/AlZmfm2RId4Y5wgI+dwXauo8nD9BilXuWqYehGQpzNMtme6pLjYHcGvpILsF/A4XAn8P6svA==
x-ms-traffictypediagnostic: DM5PR09MB1356:
x-ms-office365-filtering-correlation-id: a73c3896-d726-4203-89ae-08d49eb7f00d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:DM5PR09MB1356;
x-microsoft-antispam-prvs: <DM5PR09MB1356AF1BA4D19D71173E27EAA5E50@DM5PR09MB1356.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148); SRVR:DM5PR09MB1356; BCL:0; PCL:0; RULEID:; SRVR:DM5PR09MB1356;
x-forefront-prvs: 031257FE13
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39410400002)(39450400003)(39840400002)(39860400002)(39850400002)(39400400002)(53754006)(189002)(24454002)(57704003)(377454003)(13464003)(199003)(19609705001)(4326008)(7736002)(229853002)(790700001)(122556002)(2906002)(2950100002)(39060400002)(7696004)(74316002)(77096006)(6436002)(53546009)(8676002)(6116002)(54356999)(81166006)(76176999)(7906003)(3846002)(50986999)(25786009)(6506006)(102836003)(33656002)(3660700001)(66066001)(966005)(606005)(6306002)(8936002)(236005)(99286003)(55016002)(5660300001)(9686003)(5890100001)(53936002)(93886004)(38730400002)(86362001)(2900100001)(478600001)(6246003)(189998001)(3280700002)(54896002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR09MB1356; H:DM5PR09MB1354.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR09MB1354DE08127393031FFC9F86A5E50DM5PR09MB1354namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2017 13:07:00.8384 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR09MB1356
X-OriginatorOrg: mitre.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/Emcs0ZAVu6bFWcTYsJj3jX4SKpo>
Subject: Re: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 13:13:21 -0000

Yeah, I can update it next week.

Thanks,

Danny

From: Adam Montville [mailto:adam.w.montville@gmail.com]
Sent: Wednesday, May 17, 2017 4:21 PM
To: Haynes, Dan <dhaynes@mitre.org>; Jerome Athias <jerome.athias@protonmail.com>
Cc: sacm@ietf.org
Subject: Re: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)

Yes, I think so. Any chance you can update?
On Wed, May 17, 2017 at 10:35 AM Haynes, Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>> wrote:
Maybe this should be noted in the wiki somewhere?

Thanks,

Danny

From: sacm [mailto:sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>] On Behalf Of Adam Montville
Sent: Wednesday, May 03, 2017 4:46 PM
To: Jerome Athias <jerome.athias@protonmail.com<mailto:jerome.athias@protonmail.com>>
Cc: sacm@ietf.org<mailto:sacm@ietf.org>
Subject: Re: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)

That seems like it could be a reasonable optimization, provide the VDI had enough information and structure. I'm not sure they always do and I would suspect that some organizations just take a look at what's been defined in, say, the OVAL repository (a VDD source) and work optimizations from there.

Other thoughts?


On Wed, May 3, 2017 at 2:06 AM Jerome Athias <jerome.athias@protonmail.com<mailto:jerome.athias@protonmail.com>> wrote:
Hi,

For now what is unclear for me is when/where it is determined that a VDI/VDD is interesting for me (applies to my endpoints).

For example:
I am retrieving everyday the latest CVE content from NVD.
Option 1: (apparently the current one) each new CVE/VDI is transformed and inserted in the VDD repository, which will trigger the flow. So for each and every CVE, I would enter the flow, and it will get/evaluate if I have endpoints that need to be evaluated before the assessment. - not optimized because they are more vulnerabilities released -not- affecting my endpoints than applicable ones

Option 2: (the one I'm using) each new CVE/VDI is evaluated by my Endpoint Manager (assets inventory/portfolio/cmdb) and ONLY IF it is relevant, it will be transformed and inserted in the VDD repository, which will trigger the flow. - more optimized, I will just assess what is relevant

Note that #2 could be assumed to be done up front, but imho would be nice to mention it.


Would this make sense?

Best regards

-------- Original Message --------
Subject: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)
Local Time: May 3, 2017 12:42 AM
UTC Time: May 2, 2017 9:42 PM
From: adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>
To: sacm@ietf.org<mailto:sacm@ietf.org> <sacm@ietf.org<mailto:sacm@ietf.org>>

Has anyone had time to take a look at the communication sequence here? I know we've not yet completely settled on goals, but I feel like we should still be able to have this discussion as well.

Thanks for your time.

Adam

On Fri, Apr 21, 2017 at 8:00 AM Adam Montville <adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>> wrote:
Hello Everyone,

After some discussion on this topic, I feel like we've got no real objection to this proposed list of components. As such, this brings us back to the second version of the sequence diagram that some of us were working with not too long ago (see attached PDF vector diagram).

Given that set of components, we can now start talking about the expected communications between them in an ideal case through the system. Remember that the VDI (vulnerability information) is assumed to have been transformed and placed into the VDD (vulnerability detection) Repository. I've numbered the flows in the attached sequence diagram to show the proposed order and so that we can talk about each flow by that number.

Does this flow feel right to everyone on the list? What needs to be different? What alternate flows may exist for the basic case of checking inventory against a new vulnerability?

Let's carry this discussion on for a week or so. (Do we need longer?)

Kind regards,

Adam

On Tue, Apr 18, 2017 at 8:03 AM Adam Montville <adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>> wrote:
Hi All:

We've got a list of components we think we care about for our vulnerability assessment scenario (focusing on the narrowest "ideal case" through the scenario for the time being.

These are:

* Vulnerability Detection Data Repository
* Vulnerability Assessor
* Endpoint Repository
* Collector
* Target Endpoint
* Assessment Results Repository

For reference, see our wiki [1] and/or the slides from IETF 98 [2] and/or the minutes from IETF 98 [3]

Question to the WG: Is this an appropriate initial list of components?

Please opine within the next few days (say by end of your day on Thursday, wherever you may be), so that we can generate some momentum on this effort.

Kind regards,

Adam

[1] https://trac.ietf.org/trac/sacm/wiki/SacmVulnerabilityAssessmentScenario
[2] https://www.ietf.org/proceedings/98/slides/slides-98-sacm-vulnerability-scenario-discussion-00.pdf
[3] https://www.ietf.org/proceedings/98/minutes/minutes-98-sacm-00.txt

v2.23.0 | Report a Bug | By Email