Hi Dave and Jessica, While I do see the work that went into this draft and think it is helpful, I'd prefer to see it merged with a solution draft, accomplishing both in one draft. It's very unusual for a WG to publish multiple use case case drafts and many don't even publish use case drafts.
Is there solution work that could build directly off of this work and be combined into one draft to cover the vulnerability space? Thank you, Kathleen On Wed, Dec 2, 2015 at 10:05 AM, Jessica Fitzgerald-McKay <[email protected]> wrote: > Dave, that is a very accurate capture of how the vulnerability assessment > draft can be used to move SACM work forward. The SACM charter is broad; > making progress on solutions drafts that address the goals laid out in the > SACM charter necessitates focusing on a smaller scale scenario to collect > the right data, over the right protocols, that enable security automation. > The vulnerability assessment scenario does just that. It allows us to make > progress on a manageable subset of our goals while keeping an eye to the > bigger security automation landscape. Such a scenario is of great value to > SACM, and is the only way we will be able to make real progress. > > > On Wed, Dec 2, 2015, 9:51 AM Waltermire, David A. > <[email protected]> wrote: >> >> >> Kathleen, >> >> There are a number of operational business processes that SACM is working >> to support to include: software asset management, vulnerability management, >> configuration management, and others. Considering the totality of these use >> cases is too big to tackle all at once. The current SACM use cases help to >> inform some of the operations that need to be supported, but they are very >> abstract and don't help as much in making clear what protocols and data >> models are needed. Definitely not the specifics of these specifications. The >> discussion around the vulnerability draft has been about focusing work by >> iterating on concrete operational scenarios (such as that draft) that will >> enable SACM to produce useful solutions more quickly in a way that can build >> on previous iterations. I believe the vulnerability scenario draft is being >> proposed as the first iteration of many. >> >> IMHO, without such a focus, we will continue to stagnate and make >> intermittent progress. This draft has stimulated a good amount of feedback >> and discussion, which makes me think it is accomplishing its intended goal. >> As you mentioned, the next steps should be to clarify the vulnerability >> scenario and align extensible solutions that will address the scenario. In >> doing so this work can provide the foundations for the next scenario in the >> next iteration since many of the operational processes have common >> information needs. >> >> Does this help to clear up how the draft may be used? >> >> Regards, >> Dave >> >> > -----Original Message----- >> > From: sacm [mailto:[email protected]] On Behalf Of Kathleen Moriarty >> > Sent: Wednesday, December 02, 2015 9:31 AM >> > To: Wolfkiel, Joseph L CIV DISA ID (US) <[email protected]> >> > Cc: Haynes, Dan <[email protected]>; [email protected]; Linda Dunbar >> > <[email protected]>; Romascanu, Dan (Dan) >> > <[email protected]>; [email protected]; [email protected] >> > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability >> > Assessment Scenario >> > >> > Hello, >> > >> > I also took the time to read the draft and it currently reads like a >> > scenario or >> > an expanded use case draft, not a solution draft. Does SACM need this >> > or is >> > there plans to merge it with solution work into one draft? I could see >> > the >> > value in the latter, but I don't see how a scenario draft on it's own >> > will help >> > speed up progress for the WG. >> > >> > Thanks, >> > Kathleen >> > >> > On Wed, Dec 2, 2015 at 8:53 AM, Wolfkiel, Joseph L CIV DISA ID (US) >> > <[email protected]> wrote: >> > > I think the disappointment may have been headed off if the document >> > > was >> > more explicit, right at the beginning, about what a "vulnerability >> > report" is. I >> > got 2/3 of the way through the document before I understood that >> > "vulnerability report" and "vulnerability definition" are effectively >> > the same >> > construct. A vulnerability report apparently is an announcement that a >> > vulnerability has been discovered and defined to the point where >> > endpoint >> > managers can run assessments on their endpoints to determine if their >> > endpoints have the vulnerability or not. >> > > >> > > This concept is confusing because generally, with existing >> > > vulnerability >> > scanners, new vulnerability "reports" are a subset of updated >> > vulnerability >> > definitions that automatically propagated to the tools and aren't >> > delivered as >> > stand-alone "reports". So a vulnerability "report" would look something >> > like >> > the report at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015- >> > 8395 (I think). >> > > >> > > Joseph L. Wolfkiel >> > > SCM Engineering Lead >> > > DISA ID52 >> > > Fort Meade DISA Acquisiton Bldg Cube A4A58E >> > > Work: (301) 225-8820 >> > > Gov Cell: (571) 814-8231 >> > > [email protected] >> > > >> > > >> > > >> > > -----Original Message----- >> > > From: sacm [mailto:[email protected]] On Behalf Of Haynes, Dan >> > > Sent: Wednesday, December 02, 2015 8:36 AM >> > > To: Romascanu, Dan (Dan); Linda Dunbar; [email protected]; >> > > [email protected] >> > > Cc: [email protected] >> > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability >> > > Assessment Scenario >> > > >> > > >> > > Hi Linda, >> > > >> > > >> > > Please let us know if there are any specific questions that we can >> > > answer >> > for you, to help clarify the document, after considering it in the >> > context of >> > the SACM charter as Dan mentioned. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > Danny >> > > >> > > >> > > >> > > From: OPSEC [Caution-mailto:[email protected]] On Behalf >> > > OfRomascanu, Dan (Dan) >> > > Sent: Sunday, November 22, 2015 9:48 AM >> > > To: Linda Dunbar <[email protected]>; [email protected]; >> > > [email protected] >> > > Cc: [email protected] >> > > Subject: Re: [OPSEC] [sacm] [OPSAWG] Feedback on the SACM >> > > Vulnerability Assessment Scenario >> > > >> > > >> > > >> > > Hi Linda, >> > > >> > > >> > > >> > > Thanks for answering the call for review and having a look at this >> > > work. >> > > >> > > >> > > >> > > Concerning your 'little disappointment': This I-D needs to be read in >> > > the >> > context of the current charter of the SACM WG. The WG charter focus for >> > this phase is on the 'endpoint posture' and on the 'enterprise use >> > case'. >> > Maybe this makes things somehow more clear. >> > > >> > > >> > > >> > > Regards, >> > > >> > > >> > > >> > > Dan >> > > >> > > >> > > >> > > >> > > >> > > From: sacm [Caution-mailto:[email protected] < >> > > Caution-mailto:[email protected] > ]On Behalf Of Linda Dunbar >> > > Sent: Thursday, November 19, 2015 10:36 PM >> > > To: Romascanu, Dan (Dan); [email protected] < >> > > Caution-mailto:[email protected] > ;[email protected] < >> > > Caution-mailto:[email protected] > >> > > Cc: [email protected] < Caution-mailto:[email protected] > >> > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability >> > > Assessment Scenario >> > > >> > > >> > > >> > > Reading through the document has made me feel that the Title of the >> > > draft >> > is misleading. >> > > >> > > Based on the title I was expecting to see the Vulnerability Assessment >> > > of >> > various network scenarios, which will be very useful information for >> > enterprise and service provider network administrators to put in >> > adequate >> > tools to protect those vulnerability. >> > > >> > > >> > > >> > > But the document only describes the procedure in authenticating a end >> > user/points and states that you need to compare with the Vulnerability >> > report (almost like a common sense ) without saying how and what. I >> > guess I >> > had too high the expectation, but a little disappointed of not finding >> > the >> > information I was looking for. >> > > >> > > >> > > >> > > Linda Dunbar >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > From: OPSAWG [Caution-mailto:[email protected] < >> > > Caution-mailto:[email protected] > ]On Behalf Of Romascanu, Dan >> > > (Dan) >> > > Sent: Thursday, November 19, 2015 7:51 AM >> > > To: [email protected] < Caution-mailto:[email protected] > ; [email protected] >> > > < Caution-mailto:[email protected] > >> > > Cc: [email protected] < Caution-mailto:[email protected] > >> > > Subject: [OPSAWG] Feedback on the SACM Vulnerability Assessment >> > > Scenario >> > > >> > > >> > > >> > > Hi, >> > > >> > > >> > > >> > > I am reiterating a request that I made at IETF 94 in the OPSAWG >> > > meeting, and also sent to the mail lists of opsec and opsawg. The SACM >> > > WG is considering a >> > > documentCaution-https://datatracker.ietf.org/doc/draft-coffin-sacm-vul >> > > n-scenario/ < >> > > Caution-https://urldefense.proofpoint.com/v2/url?u=https-3A__datatrack >> > > er.ietf.org_doc_draft-2Dcoffin-2Dsacm-2Dvuln- >> > 2Dscenario_&d=BQMFAg&c=BF >> > > >> > pWQw8bsuKpl1SgiZH64Q&r=I4dzGxR31OcNXCJfQzvlsiLQfucBXRucPvdrphpBs >> > FA&m=D >> > > XOABUhWgQkWYGVviFzuEvwgbivmgrBaeyHQ3_W- >> > Hyg&s=S_CieVlne2x4XqE2cNL0Y_mb0 >> > > dcPAGm4cN6hKa5k-6Q&e= > that describes the operational practice of >> > > vulnerability reports, which we believe is an important use case in >> > > the security assessment life cycle. We are requiring feedback from >> > > operators about the scenario describe in this document - does it make >> > > sense? Is it similar with what you do in operational real life? Are >> > > you using similar or different methods for vulnerability assessment in >> > > your networks? A quick reading and short feedback would be greatl >> > y >> > > appreciated. >> > > >> > > >> > > >> > > Thanks and Regards, >> > > >> > > >> > > >> > > Dan >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > sacm mailing list >> > > [email protected] >> > > https://www.ietf.org/mailman/listinfo/sacm >> > > >> > >> > >> > >> > -- >> > >> > Best regards, >> > Kathleen >> > >> > _______________________________________________ >> > sacm mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/sacm >> >> _______________________________________________ >> sacm mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/sacm > > > _______________________________________________ > sacm mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sacm > -- Best regards, Kathleen _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
