[scap_interest] Gaps in Risk Management

Adam Montville <amontville@tripwire.com> Tue, 14 February 2012 20:51 UTC

Return-Path: <amontville@tripwire.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A94B221E8101 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:51:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.166
X-Spam-Status: No, score=-5.166 tagged_above=-999 required=5 tests=[AWL=-1.567, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id yr68Ahq7M6rY for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:51:11 -0800 (PST)
Received: from AM1EHSOBE004.bigfish.com (am1ehsobe002.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 08CD821E80FA for <scap_interest@ietf.org>; Tue, 14 Feb 2012 12:51:11 -0800 (PST)
Received: from mail106-am1-R.bigfish.com ( by AM1EHSOBE004.bigfish.com ( with Microsoft SMTP Server id; Tue, 14 Feb 2012 20:51:06 +0000
Received: from mail106-am1 (localhost []) by mail106-am1-R.bigfish.com (Postfix) with ESMTP id 5C89A2600A1 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 20:51:06 +0000 (UTC)
X-SpamScore: -10
X-BigFish: VPS-10(zz9f17Rzz1202hzz8275bhz2dh2a8h668h839h946h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:PDXHB01.tripwire.com; RD:174-47-84-216.static.twtelecom.net; EFVD:NLI
Received: from mail106-am1 (localhost.localdomain []) by mail106-am1 (MessageSwitch) id 1329252664115812_11553; Tue, 14 Feb 2012 20:51:04 +0000 (UTC)
Received: from AM1EHSMHS012.bigfish.com (unknown []) by mail106-am1.bigfish.com (Postfix) with ESMTP id 1846E180048 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 20:51:04 +0000 (UTC)
Received: from PDXHB01.tripwire.com ( by AM1EHSMHS012.bigfish.com ( with Microsoft SMTP Server (TLS) id; Tue, 14 Feb 2012 20:51:06 +0000
Received: from PDXHB01.tripwire.com ( by PDXED01.tripwire.com ( with Microsoft SMTP Server (TLS) id 14.1.355.2; Tue, 14 Feb 2012 12:59:51 -0800
Received: from PDXMB02.tripwire.com ([fe80::f997:7b65:8e64:438e]) by PDXHB01.tripwire.com ([fe80::d495:98d2:7df4:2154%11]) with mapi id 14.01.0355.002; Tue, 14 Feb 2012 12:51:03 -0800
From: Adam Montville <amontville@tripwire.com>
To: "scap_interest@ietf.org" <scap_interest@ietf.org>
Thread-Topic: Gaps in Risk Management
Thread-Index: AQHM61pd/+qf+nsvQUKFi0HafiSh7w==
Date: Tue, 14 Feb 2012 20:51:03 +0000
Message-ID: <CB600937.91DB%amontville@tripwire.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-exclaimer-md-config: 79afcaa7-fdf4-4fa6-abe0-afeaa4640a4f
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3D13C9154CDCCB4681189B0DFA1311FB@tripwire.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tripwire.com
Subject: [scap_interest] Gaps in Risk Management
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 20:51:12 -0000


Security automation seeks to automate what we can ultimately within the framework of risk management.  Scoring is not enough to measure risk.  What appears to be needed is a method by which we can automate risk measurement.  It would be interesting to discuss various ways in which such automation might be achieved along both qualitative and quantitative lines.

The scoring methods we have in place today for vulnerabilities and configurations (CVSS and CCSS respectively) can measure risk of a particular instance of a class of concepts in our domain.  What I don't see being possible at this point is a way to measure the aggregate instances of vulnerabilities and misconfigurations for some set of assets (whether that be a single asset or a composite asset representing an entire network).

Risk management methodologies are not scarce – NIST, ISO, CobiT, OCTAVE and others all present some method of managing risk, and they are similar.  How can we apply automation in support of these various risk management methods while providing both qualitative and quantitative risk assessment under the hood?


Adam W. Montville | Security and Compliance Architect

Direct: 503 276-7661
Mobile: 360 471-7815