Dave, that is a very accurate capture of how the vulnerability assessment draft can be used to move SACM work forward. The SACM charter is broad; making progress on solutions drafts that address the goals laid out in the SACM charter necessitates focusing on a smaller scale scenario to collect the right data, over the right protocols, that enable security automation. The vulnerability assessment scenario does just that. It allows us to make progress on a manageable subset of our goals while keeping an eye to the bigger security automation landscape. Such a scenario is of great value to SACM, and is the only way we will be able to make real progress.
On Wed, Dec 2, 2015, 9:51 AM Waltermire, David A. <[email protected]> wrote: > > Kathleen, > > There are a number of operational business processes that SACM is working > to support to include: software asset management, vulnerability management, > configuration management, and others. Considering the totality of these use > cases is too big to tackle all at once. The current SACM use cases help to > inform some of the operations that need to be supported, but they are very > abstract and don't help as much in making clear what protocols and data > models are needed. Definitely not the specifics of these specifications. > The discussion around the vulnerability draft has been about focusing work > by iterating on concrete operational scenarios (such as that draft) that > will enable SACM to produce useful solutions more quickly in a way that can > build on previous iterations. I believe the vulnerability scenario draft is > being proposed as the first iteration of many. > > IMHO, without such a focus, we will continue to stagnate and make > intermittent progress. This draft has stimulated a good amount of feedback > and discussion, which makes me think it is accomplishing its intended goal. > As you mentioned, the next steps should be to clarify the vulnerability > scenario and align extensible solutions that will address the scenario. In > doing so this work can provide the foundations for the next scenario in the > next iteration since many of the operational processes have common > information needs. > > Does this help to clear up how the draft may be used? > > Regards, > Dave > > > -----Original Message----- > > From: sacm [mailto:[email protected]] On Behalf Of Kathleen Moriarty > > Sent: Wednesday, December 02, 2015 9:31 AM > > To: Wolfkiel, Joseph L CIV DISA ID (US) <[email protected]> > > Cc: Haynes, Dan <[email protected]>; [email protected]; Linda Dunbar > > <[email protected]>; Romascanu, Dan (Dan) > > <[email protected]>; [email protected]; [email protected] > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > > Assessment Scenario > > > > Hello, > > > > I also took the time to read the draft and it currently reads like a > scenario or > > an expanded use case draft, not a solution draft. Does SACM need this > or is > > there plans to merge it with solution work into one draft? I could see > the > > value in the latter, but I don't see how a scenario draft on it's own > will help > > speed up progress for the WG. > > > > Thanks, > > Kathleen > > > > On Wed, Dec 2, 2015 at 8:53 AM, Wolfkiel, Joseph L CIV DISA ID (US) > > <[email protected]> wrote: > > > I think the disappointment may have been headed off if the document was > > more explicit, right at the beginning, about what a "vulnerability > report" is. I > > got 2/3 of the way through the document before I understood that > > "vulnerability report" and "vulnerability definition" are effectively > the same > > construct. A vulnerability report apparently is an announcement that a > > vulnerability has been discovered and defined to the point where endpoint > > managers can run assessments on their endpoints to determine if their > > endpoints have the vulnerability or not. > > > > > > This concept is confusing because generally, with existing > vulnerability > > scanners, new vulnerability "reports" are a subset of updated > vulnerability > > definitions that automatically propagated to the tools and aren't > delivered as > > stand-alone "reports". So a vulnerability "report" would look something > like > > the report at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015- > > 8395 (I think). > > > > > > Joseph L. Wolfkiel > > > SCM Engineering Lead > > > DISA ID52 > > > Fort Meade DISA Acquisiton Bldg Cube A4A58E > > > Work: (301) 225-8820 > > > Gov Cell: (571) 814-8231 > > > [email protected] > > > > > > > > > > > > -----Original Message----- > > > From: sacm [mailto:[email protected]] On Behalf Of Haynes, Dan > > > Sent: Wednesday, December 02, 2015 8:36 AM > > > To: Romascanu, Dan (Dan); Linda Dunbar; [email protected]; > > > [email protected] > > > Cc: [email protected] > > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > > > Assessment Scenario > > > > > > > > > Hi Linda, > > > > > > > > > Please let us know if there are any specific questions that we can > answer > > for you, to help clarify the document, after considering it in the > context of > > the SACM charter as Dan mentioned. > > > > > > > > > > > > Thanks, > > > > > > Danny > > > > > > > > > > > > From: OPSEC [Caution-mailto:[email protected]] On Behalf > > > OfRomascanu, Dan (Dan) > > > Sent: Sunday, November 22, 2015 9:48 AM > > > To: Linda Dunbar <[email protected]>; [email protected]; > > > [email protected] > > > Cc: [email protected] > > > Subject: Re: [OPSEC] [sacm] [OPSAWG] Feedback on the SACM > > > Vulnerability Assessment Scenario > > > > > > > > > > > > Hi Linda, > > > > > > > > > > > > Thanks for answering the call for review and having a look at this > work. > > > > > > > > > > > > Concerning your 'little disappointment': This I-D needs to be read in > the > > context of the current charter of the SACM WG. The WG charter focus for > > this phase is on the 'endpoint posture' and on the 'enterprise use case'. > > Maybe this makes things somehow more clear. > > > > > > > > > > > > Regards, > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > > > > From: sacm [Caution-mailto:[email protected] < > > > Caution-mailto:[email protected] > ]On Behalf Of Linda Dunbar > > > Sent: Thursday, November 19, 2015 10:36 PM > > > To: Romascanu, Dan (Dan); [email protected] < > > > Caution-mailto:[email protected] > ;[email protected] < > > > Caution-mailto:[email protected] > > > > Cc: [email protected] < Caution-mailto:[email protected] > > > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > > > Assessment Scenario > > > > > > > > > > > > Reading through the document has made me feel that the Title of the > draft > > is misleading. > > > > > > Based on the title I was expecting to see the Vulnerability Assessment > of > > various network scenarios, which will be very useful information for > > enterprise and service provider network administrators to put in adequate > > tools to protect those vulnerability. > > > > > > > > > > > > But the document only describes the procedure in authenticating a end > > user/points and states that you need to compare with the Vulnerability > > report (almost like a common sense ) without saying how and what. I > guess I > > had too high the expectation, but a little disappointed of not finding > the > > information I was looking for. > > > > > > > > > > > > Linda Dunbar > > > > > > > > > > > > > > > > > > > > > > > > From: OPSAWG [Caution-mailto:[email protected] < > > > Caution-mailto:[email protected] > ]On Behalf Of Romascanu, Dan > > > (Dan) > > > Sent: Thursday, November 19, 2015 7:51 AM > > > To: [email protected] < Caution-mailto:[email protected] > ; [email protected] > > > < Caution-mailto:[email protected] > > > > Cc: [email protected] < Caution-mailto:[email protected] > > > > Subject: [OPSAWG] Feedback on the SACM Vulnerability Assessment > > > Scenario > > > > > > > > > > > > Hi, > > > > > > > > > > > > I am reiterating a request that I made at IETF 94 in the OPSAWG > > > meeting, and also sent to the mail lists of opsec and opsawg. The SACM > > > WG is considering a > > > documentCaution-https://datatracker.ietf.org/doc/draft-coffin-sacm-vul > > > n-scenario/ < > > > Caution-https://urldefense.proofpoint.com/v2/url?u=https-3A__datatrack > > > er.ietf.org_doc_draft-2Dcoffin-2Dsacm-2Dvuln- > > 2Dscenario_&d=BQMFAg&c=BF > > > > > pWQw8bsuKpl1SgiZH64Q&r=I4dzGxR31OcNXCJfQzvlsiLQfucBXRucPvdrphpBs > > FA&m=D > > > XOABUhWgQkWYGVviFzuEvwgbivmgrBaeyHQ3_W- > > Hyg&s=S_CieVlne2x4XqE2cNL0Y_mb0 > > > dcPAGm4cN6hKa5k-6Q&e= > that describes the operational practice of > > > vulnerability reports, which we believe is an important use case in > > > the security assessment life cycle. We are requiring feedback from > > > operators about the scenario describe in this document - does it make > > > sense? Is it similar with what you do in operational real life? Are > > > you using similar or different methods for vulnerability assessment in > > > your networks? A quick reading and short feedback would be greatl > > y > > > appreciated. > > > > > > > > > > > > Thanks and Regards, > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > _______________________________________________ > > > sacm mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/sacm > > > > > > > > > > > -- > > > > Best regards, > > Kathleen > > > > _______________________________________________ > > sacm mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/sacm > > _______________________________________________ > sacm mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sacm >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
