IETF Logo Mail Archive

Re: [sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue #5 - Change Detection with an Endpoint Management Capability

Adam Montville <adam.w.montville@gmail.com> Sat, 18 June 2016 17:35 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1384112D7D7 for <sacm@ietfa.amsl.com>; Sat, 18 Jun 2016 10:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQ884oXIocHh for <sacm@ietfa.amsl.com>; Sat, 18 Jun 2016 10:35:50 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA2D12D760 for <sacm@ietf.org>; Sat, 18 Jun 2016 10:35:50 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id d132so158858912oig.1 for <sacm@ietf.org>; Sat, 18 Jun 2016 10:35:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=NsVHCsAlnTen1I8O6tyWd1u74vGwVBIfpq16jdd9PaY=; b=BuZDR57oNs0lpHgsZ72K+E5LvaWP2He/8PSXXGx39QQEeL+UmZRZ5dqbHHUMwVM8vx Z4BIljZYMGIj/2vIvW7Um3yO3tGxMfgFYsu4WPoULwDrWSLMO7RqfAiWvCzXEK68D2FJ KgMNPSvJ2VTdac2WVFJOIvFhjTMWdRZjS36JbBxug0bkryPBP9jCX9RIAb/St2eSrfzs ZvBln6e245spBrLntENxqgNVb/+8VMkzimmPX79+Njd/COAnYeiHZwh/9yUv9QHc867v JAOdzgh7GYV4h63npAhCTaEbptzUGGE34Kl5DOh18G5Corqj8EWqRa6FLp4QHoQ5hmFB cqgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=NsVHCsAlnTen1I8O6tyWd1u74vGwVBIfpq16jdd9PaY=; b=Og0aSBDrlMtcE7GWFi5IZX/JRREZTMPZ/7d5nbeIoxWN4ZjDmLnK2fyGVjLho4IlJV hfKz5F+kQDa2TNVaJ0+o1viCtKvOIiy31TPKyNNIy3y3qW98dTwywKpljJhMkUXqykSl GSpOreJ0doMZV+afArJ86uxTaM3CpCLIcPx+rNA3ELW6RtATIbOYIur7CbQTIp1o7EkD XXhpPS6BGBdqyFhUb4SfdgVjH7hI9klkIcY7RGEqc2xptIhtnKmgXtYadsdG1OQCSLle eP2kdV3QkY5x/CO1DWCpzXOb0q0KshD1ZZxzOoR89xtk1a8R+D9z+cdAmYyGSY6g5ohb LepA==
X-Gm-Message-State: ALyK8tJXVUPyttnWPfi8bTOMKwHUYUuX8jHCDCcs69Co4tPnzH6GEKXoQ2y0obZjM/Kgfw==
X-Received: by 10.157.37.109 with SMTP id j42mr5163573otd.45.1466271349452; Sat, 18 Jun 2016 10:35:49 -0700 (PDT)
Received: from adams-mbp.attlocal.net (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id v63sm9371131ota.41.2016.06.18.10.35.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 18 Jun 2016 10:35:47 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_5446BBD5-F092-4403-AF93-D9314E86C3FA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Adam Montville <adam.w.montville@gmail.com>
In-Reply-To: <CAN40gSuZ1+6-psCOEcbq-iDrOz2iReKLxmRv5QAkYNLx2FtwEw@mail.gmail.com>
Date: Sat, 18 Jun 2016 12:35:42 -0500
Message-Id: <F7FF0658-85D0-4FF6-B477-9C988E2912FA@gmail.com>
References: <BY2PR09MB107855437DBFE3B22987B6A0A5490@BY2PR09MB1078.namprd09.prod.outlook.com> <CAA=AuEe8VpnAKZ7u5NMpK5O4qU8JWnoJsqTRhP9KjbC8bgACpQ@mail.gmail.com> <BY2PR09MB107834DEC2DE93DC7495740CA55D0@BY2PR09MB1078.namprd09.prod.outlook.com> <CAA=AuEfUJeUfmQ00pC1x1Pdtbog=qkfk=Lzyp6DpR4OKW4NPAA@mail.gmail.com> <BY2PR09MB1078CAB1881C9EF7E1106407A5560@BY2PR09MB1078.namprd09.prod.outlook.com> <69E56E0A-36E1-4529-B192-EDE4AE58E4DD@gmail.com> <CAN40gSuZ1+6-psCOEcbq-iDrOz2iReKLxmRv5QAkYNLx2FtwEw@mail.gmail.com>
To: Ira McDonald <blueroofmusic@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/JVrA5e4ZZ5-kG6Zatk5ON9P3Tc0>
Cc: Jerome Athias <athiasjerome@gmail.com>, "Haynes, Dan" <dhaynes@mitre.org>, "sacm@ietf.org" <sacm@ietf.org>
Subject: Re: [sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue #5 - Change Detection with an Endpoint Management Capability
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2016 17:35:54 -0000

My concern does not stem from using the prefix “pre”, as much as it is about the definition of the term assessment and how we’re using pre-assessment often, which turns into “collecting before the process of collecting”, which is confusing at best.

The situation we are looking at feels very much like a cache miss.  We look for some information in one place and don’t find it, so we have to go fetch it from somewhere else.



> On Jun 18, 2016, at 8:41 AM, Ira McDonald <blueroofmusic@gmail.com> wrote:
> 
> Hi,
> 
> I share Adam's distaste for "pre-" anything.
> 
> Perhaps "external collection" - defined as simply using any non-SACM
> protocol to forward endpoint posture to a SACM Collector (in this case,
> e.g., a NEA Server)?
> 
> Cheers,
> - Ira
> 
> 
> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>
> http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>
> mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com>
> Winter  579 Park Place  Saline, MI  48176  734-944-0094
> Summer  PO Box 221  Grand Marais, MI 49839  906-494-2434
> 
> 
> On Fri, Jun 17, 2016 at 6:14 PM, Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>>
> wrote:
> 
>> I really don’t want to be the one to bring this up, but are we forgetting
>> our definition of “assessment”?  We borrow, and expand upon, the term from
>> RFC5209.  Here’s what our terminology draft says:
>> 
>> Assessment: Defined in [RFC5209] as “the process of collecting posture for
>> a set of capabilities on the endpoint (e.g. host-based firewall) such that
>> the appropriate validators may evaluate the posture against compliance
>> policy.”  Within SACM the use of the term is expanded to support other uses
>> of collected posture (e.g. reporting, network enforcement, vulnerability
>> detection, license management).  The phrase “set of capabilities on the
>> endpoint” includes: hardware and software installed on the endpoint.
>> 
>> But, in the text proposed, and in general, we are talking about collection
>> in the context of *pre*-assessment.  So, a collection before “the process
>> of collecting posture…”, which seems off to me.
>> 
>> Do we really mean to say, pre-evaluation?  Or, do we need “pre” anything?
>> There is data available at the time of evaluation or there is not.  If
>> there is not, we go grab it, or indicate that it needs to be grabbed during
>> the next collection opportunity, and we indicate whether it’s something we
>> need to grab all the time, or just this once.
>> 
>> Thoughts?
>> 
>> Adam
>> 
>> 
>> 
>> On Jun 16, 2016, at 12:15 PM, Haynes, Dan <dhaynes@mitre.org> wrote:
>> 
>> Off list, I received a suggested update to this text from Charles.  I was
>> hoping to discuss it at yesterday’s virtual interim meeting, however, I ran
>> out of time.  As a result, I would like to propose the updated text as it
>> seemed clearer and more concise than what I had proposed, but, says the
>> same thing.
>> 
>> The new text would read as follows (based on the updated draft posted on
>> 6/8/16 [1]).
>> 
>> "Supplemental collection of endpoint information for the purposes of…Over
>> time, some new pieces of information that are needed during common types of
>> assessments might be identified. Pre-assessment collection can be
>> reconfigured to have this information delivered automatically. This avoids
>> the need for regular supplemental collections to gather this information
>> during assessments, streamlining the assessment process. Likewise, it might
>> be observed that certain information delivered during pre-assessment
>> collection is rarely used. In this case, it might be useful to stop
>> pre-assessment collection of this information to reduce network and
>> processing overhead. Instead, supplemental collection can be used to gather
>> this data on the rare occasions when it is needed."
>> 
>> Please let me know your thoughts on this proposed text by Tuesday July 21
>> st.
>> 
>> Thanks,
>> 
>> Danny
>> 
>> [1] https://www.ietf.org/id/draft-ietf-sacm-vuln-scenario-00.txt
>> 
>> 
>> 
>> *From:* Jerome Athias [mailto:athiasjerome@gmail.com
>> <athiasjerome@gmail.com <mailto:athiasjerome@gmail.com>>]
>> *Sent:* Tuesday, June 07, 2016 12:08 AM
>> *To:* Haynes, Dan <dhaynes@mitre.org>
>> *Cc:* sacm@ietf.org
>> *Subject:* Re: [sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue
>> #5 - Change Detection with an Endpoint Management Capability
>> 
>> This rewrite is imho better
>> Thanks
>> 
>> On Tuesday, 7 June 2016, Haynes, Dan <dhaynes@mitre.org> wrote:
>> 
>> Based on the feedback, would the following rewrite of the paragraph help
>> clarify things?
>> 
>> "In many cases, the endpoint information...Under certain deployment
>> scenarios, as
>> the vulnerability management capability processes vulnerability detection
>> data over
>> time, the endpoint management capability may learn about additional
>> detection
>> information that it was previously not collecting and push that
>> information to the
>> vulnerability management capability where it can support future
>> assessments. The
>> pushing of this data may potentially be driven by some trigger (e.g.,
>> change
>> in software inventory, policy, network connectivity status, etc.)."
>> 
>> While this potentially creates a coupling between the vulnerability
>> management capability and the endpoint management capability, as written, I
>> think it will be left to the implementer of those capabilities to decide.
>> I think the point is just that you could do something like this to improve
>> the vulnerability assessment.
>> 
>> If we still don't have consensus on this, another approach might be to
>> just remove this text all together as I don't think doing so would preclude
>> an implementer from supporting functionality like this in their product.
>> 
>> Thoughts?
>> 
>> Thanks,
>> 
>> Danny
>> 
>>> -----Original Message-----
>>> From: Jerome Athias [mailto:athiasjerome@gmail.com]
>>> Sent: Saturday, June 04, 2016 2:49 AM
>>> To: Haynes, Dan <dhaynes@mitre.org>
>>> Cc: sacm@ietf.org
>>> Subject: Re: [sacm] FOR REVIEW: Vulnerability Assessment Scenario Issue
>> #5
>>> - Change Detection with an Endpoint Management Capability
>>> 
>>> While the scenario provided by Adam is valid, if your concern is that
>> "the
>>> information beyond that" would be "supplemental endpoint
>>> information":
>>> I don't see a scenario where an endpoint management capability would have
>>> to push -supplemental- information to the vulnerability assessment
>>> capability (what would the vulnerability assessment capability do with
>>> 'unknown' additional information)
>>> 
>>> So I think the issue is to change "the information beyond that" to
>> something
>>> like "the updated information"
>>> 
>>> 
>>> 
>>> 2016-05-18 16:15 GMT+03:00 Haynes, Dan <dhaynes@mitre.org>:
>>>> During yesterday’s virtual interim meeting, we discussed various open
>>>> issues with respect to the Vulnerability Assessment Scenario [1] as a
>>>> result of feedback that we received on the draft which you can see
>>>> here [2][3].  The slide’s from the meeting can be found here [4].
>>>> 
>>>> 
>>>> 
>>>> One issue that we didn’t have a chance to discuss because we ran out
>>>> of time was whether or not an endpoint management capability has the
>>>> ability to push supplemental endpoint information to the vulnerability
>>>> assessment capability.  This question came out of a review of the
>>>> following text from the Vulnerability Assessment Scenario
>> (specifically the
>>> last sentence).
>>>> 
>>>> 
>>>> 
>>>> “In many cases, the endpoint information needed to determine an
>>>> endpoint’s vulnerability status will have been previously
>>>> 
>>>> collected by the Endpoint Management Capability and available in a
>>>> Repository. However, in other cases, the necessary
>>>> 
>>>> endpoint information will not be readily available in a Repository and
>>>> a targeted collection will be necessary.  Of course,
>>>> 
>>>> an implementation of an endpoint management capability may prefer to
>>>> enable operators to perform targeted collection under
>>>> 
>>>> certain circumstances, even when sufficient information can be
>>>> provided by the endpoint management capability (e.g. there
>>>> 
>>>> may be freshness requirements for information). Targeted collection of
>>>> endpoint information for the purpose of vulnerability
>>>> 
>>>> assessment does not necessarily need to be a pull by the vulnerability
>>>> assessment capability.  Under certain deployment
>>>> 
>>>> scenarios, once the necessary detection information is known, the
>>>> information beyond that which is available in the endpoint
>>>> 
>>>> management capability can be pushed to the vulnerability assessment
>>>> capability by the endpoint whenever that information
>>>> 
>>>> changes.”
>>>> 
>>>> 
>>>> 
>>>> Our main question is whether or not pushing information from the
>>>> endpoint management capability to the vulnerability assessment
>>>> capability is actually possible because it would not necessarily know
>>>> what information it needs to push prior to the server requesting it
>>>> (in which case it is probably considered a pull)?  Is there a
>>>> situation where the endpoint would know, in advance, what additional
>>>> information is needed for an assessment without a server requesting it?
>>>> 
>>>> 
>>>> 
>>>> If you have any thoughts on this issue, please provide feedback by May
>>> 31st.
>>>> We are planning to have an updated version of the scenario for June
>> 8th.
>>>> 
>>>> 
>>>> 
>>>> Thanks,
>>>> 
>>>> Danny
>>>> 
>>>> 
>>>> 
>>>> [1] https://datatracker.ietf.org/doc/draft-coffin-sacm-vuln-scenario/
>>>> 
>>>> [2] https://github.com/sacmwg/vulnerability-scenario/pull/3
>>>> 
>>>> [3] https://www.ietf.org/mail-archive/web/sacm/current/msg03958.html
>>>> 
>>>> [4] https://datatracker.ietf.org/doc/slides-interim-2016-sacm-3-1/
>>>> (looks like the slides are not available just yet, but, I suspect they
>>>> should be
>>>> soon)
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> sacm mailing list
>>>> sacm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sacm
>>>> 
>> 
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>> 
>> 
>> 
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org <mailto:sacm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sacm <https://www.ietf.org/mailman/listinfo/sacm>

v2.23.0 | Report a Bug | By Email