Re: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)

[Jerome Athias <jerome.athias@protonmail.com>]

Hi,

For now what is unclear for me is when/where it is determined that a VDI/VDD is interesting for me (applies to my endpoints).

For example:
I am retrieving everyday the latest CVE content from NVD.
Option 1: (apparently the current one) each new CVE/VDI is transformed and inserted in the VDD repository, which will trigger the flow. So for each and every CVE, I would enter the flow, and it will get/evaluate if I have endpoints that need to be evaluated before the assessment. - not optimized because they are more vulnerabilities released -not- affecting my endpoints than applicable ones

Option 2: (the one I'm using) each new CVE/VDI is evaluated by my Endpoint Manager (assets inventory/portfolio/cmdb) and ONLY IF it is relevant, it will be transformed and inserted in the VDD repository, which will trigger the flow. - more optimized, I will just assess what is relevant

Note that #2 could be assumed to be done up front, but imho would be nice to mention it.

Would this make sense?

Best regards

-------- Original Message --------
Subject: [sacm] Component Communication Sequence (Was - Re: Components for Vulnerability Assessment)
Local Time: May 3, 2017 12:42 AM
UTC Time: May 2, 2017 9:42 PM
From: adam.w.montville@gmail.com
To: sacm@ietf.org <sacm@ietf.org>

Has anyone had time to take a look at the communication sequence here? I know we've not yet completely settled on goals, but I feel like we should still be able to have this discussion as well.

Thanks for your time.

Adam

On Fri, Apr 21, 2017 at 8:00 AM Adam Montville <adam.w.montville@gmail.com> wrote:

Hello Everyone,

After some discussion on this topic, I feel like we've got no real objection to this proposed list of components. As such, this brings us back to the second version of the sequence diagram that some of us were working with not too long ago (see attached PDF vector diagram).

Given that set of components, we can now start talking about the expected communications between them in an ideal case through the system. Remember that the VDI (vulnerability information) is assumed to have been transformed and placed into the VDD (vulnerability detection) Repository. I've numbered the flows in the attached sequence diagram to show the proposed order and so that we can talk about each flow by that number.

Does this flow feel right to everyone on the list? What needs to be different? What alternate flows may exist for the basic case of checking inventory against a new vulnerability?

Let's carry this discussion on for a week or so. (Do we need longer?)

Kind regards,

Adam

On Tue, Apr 18, 2017 at 8:03 AM Adam Montville <adam.w.montville@gmail.com> wrote:

Hi All:

We've got a list of components we think we care about for our vulnerability assessment scenario (focusing on the narrowest "ideal case" through the scenario for the time being.

These are:

* Vulnerability Detection Data Repository
* Vulnerability Assessor
* Endpoint Repository
* Collector
* Target Endpoint
* Assessment Results Repository

For reference, see our wiki [1] and/or the slides from IETF 98 [2] and/or the minutes from IETF 98 [3]

Question to the WG: Is this an appropriate initial list of components?

Please opine within the next few days (say by end of your day on Thursday, wherever you may be), so that we can generate some momentum on this effort.

Kind regards,

Adam

[1] https://trac.ietf.org/trac/sacm/wiki/SacmVulnerabilityAssessmentScenario
[2] https://www.ietf.org/proceedings/98/slides/slides-98-sacm-vulnerability-scenario-discussion-00.pdf
[3] https://www.ietf.org/proceedings/98/minutes/minutes-98-sacm-00.txt