Re: [scap_interest] The Context Concept

"Waltermire, David A." <> Tue, 21 February 2012 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF18E21F886E for <>; Tue, 21 Feb 2012 10:46:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.237
X-Spam-Status: No, score=-5.237 tagged_above=-999 required=5 tests=[AWL=-0.392, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fqhB6A5b1gp4 for <>; Tue, 21 Feb 2012 10:46:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4380421F88FE for <>; Tue, 21 Feb 2012 10:46:09 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.1.355.2; Tue, 21 Feb 2012 13:46:05 -0500
Received: from ([fe80::41df:f63f:c718:e08]) by ([]) with mapi; Tue, 21 Feb 2012 13:43:56 -0500
From: "Waltermire, David A." <>
To: Luis Nunez <>, "Chernin, Michael A." <mchernin@DTCC.COM>
Date: Tue, 21 Feb 2012 13:46:06 -0500
Thread-Topic: [scap_interest] The Context Concept
Thread-Index: AczwxacbtpbgDU4sSbOxrIjdFkcPgwAAXTcg
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_D7A0423E5E193F40BE6E94126930C4930B93F67E0AMBCLUSTERxcha_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [scap_interest] The Context Concept
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Feb 2012 18:46:15 -0000

There are a variety of use cases that can benefit from synthesizing asset technical information (e.g., IPs, network address, default gateways, machine accessable asset tags, configurations) with organizational information (e.g., device role, criticality, etc).  For example, if you can generate a network graph of devices and their connections, and combine that with firewall rules and other topology concerns to determine visibility between hosts, you can then perform attack graph analysis to determine at what points a security related change will provide the greatest security benefit.  This can be one method used to prioritize the implementation of various security controls.  As Karen Scarfone pointed out earlier, this is also needed to support host-, network-, and system-oriented metrics starting with things like CVSS and CCSS scores and utilizing the composition of software on hosts and hosts on networks to support roll-up.

This and similar use cases are supported by asset identification, but require greater formalization around asset data management to enable implementation neutral, interoperable approaches.

David Waltermire

From: [] On Behalf Of Luis Nunez
Sent: Tuesday, February 21, 2012 1:23 PM
To: Chernin, Michael A.
Subject: Re: [scap_interest] The Context Concept

We also need to look at vulnerabilities as it applies an environment.  An inherent vulnerability may have differing levels of exposure depending on what, where and how the node is deployed.

We maybe able to leverage Asset Identification (AI) to correlate what role the node is playing in the environment (endpoint, Server, Inter-networking Device,..) and determine level of exposure.  The level of risk could also be applied depending on where the node is situated.
          - Directly connected to internet.
          - DMZ controlled
          - Internal Network
          - Secure enclave


On Feb 21, 2012, at 9:47 AM, Chernin, Michael A. wrote:

I agree that when dealing with "threats" that context matters. However, vulnerabilities alone do not imply or guarantee there is an associated threat or risk.

In my perfect world there would be a threat indicator standard that links to a structured threat standard that then could describe the CVEs used. This would allow us to continue doing vulnerability management by exposure (no threat context) or by specific threat (which provides context).


DTCC Non-Confidential (White)
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
O: 813-470-2173

From:<> [] On Behalf Of Jerome Athias
Sent: Saturday, February 18, 2012 2:03 PM
Subject: [scap_interest] The Context Concept

In a private discussion I had at ToorCon 9, with Matt Miller (skape);
we came to the conclusion that a key (and unresolved) point of automation is the (automatic) definition of the Context in which you are where dealing with a vulnerability (threat).
It was also identified (validated?), and introduced by Druid.
And then, the Druid's work was related (validated?) at FRHACK 01 by Rodrigo Branco (bsdaemon).

Situation awareness ( should be taken into account.
Maybe search for "military situational awareness".

My 2 dirhams

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email._______________________________________________
scap_interest mailing list<>