Thanks, Michael. I’ve also asked three people I work with to review from their SOC role. We’re trying to drum up additional industry reviews for this work.
Joe From: Michael P1 <[email protected]> Date: Wednesday, April 1, 2026 at 11:58 To: Joe Clarke (jclarke) <[email protected]>, opsawg <[email protected]> Subject: RE: Feedback on draft-parsons-opsawg-security-operations Hi Joe, Thanks for the review and feedback. On section 6, that’s a really good point. We’ll look to change the text to provide more guidance on that. We certainly don’t want to put the burden of that threat modelling on the protocol designers, so intention is that the text should rather provide examples or pointers in terms of things to look out for and places to go for more support on that. The point on enterprise vs infrastructure operators is really useful feedback. We very much want this draft to support both cases. I will reach out to get input from people who have that background to ensure that we get that perspective. I would really appreciate any input and reviews if there are others on this mailing list with such experience or contacts in those sorts of teams too. Thanks again, Michael From: Joe Clarke (jclarke) <[email protected]> Sent: 23 March 2026 15:19 To: opsawg <[email protected]> Subject: [OPSAWG]Feedback on draft-parsons-opsawg-security-operations Thanks for both writing and presenting this work, Michael. I have some high-level feedback, some of which I teased at in the chat. Section 6 says protocol designers should consider how a new protocol "may impact attackers' capabilities, such as C2 communications, network traversal or data exfiltration.” Obviously, this line of thinking is good, but I worry that threat modeling is not a skill many protocol designers have. Maybe I’m projecting too much of myself here, but I do recognize this area as being specialized. I think it would be useful to offer more guidance as to how a protocol designer is supposed conduct or document that attacker-capability analysis, or are you thinking SEC DIR will provide this guidance during reviews? The draft covers enterprise/SOC-centric security operations, but what about operators of the infrastructure itself (e.g., ISPs, IXPs, CDNs) who also perform security operations at scale? The tooling, IoC models, and incident response described seem to correspond to what I recognize as SOC in the enterprise, but I imagine traffic analysis and threat detection at a carrier or IX point look quite different. It might make sense to better distinguish the two if others agree. Joe
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
