Network Working Group D. Waltermire, Ed. Internet-Draft NIST Intended status: Informational July 2, 2012 Expires: January 3, 2013 Analysis of Security Automation and Continuous Monitoring (SACM) Use Cases draft-waltermire-sacm-use-cases-00 Abstract This document identifies foundational use cases, derived functional capabilities and requirements, architectural components, and the supporting standards needed to define an interoperable, automation infrastructure required to support timely, accurate and actionable situational awareness over an organization's IT systems. Automation tools implementing a continuous monitoring approach will utilize this infrastructure together with existing and emerging event, incident and network management standards to provide visibility into the state of assets, user activities and network behavior. Stakeholders will be able to use these tools to aggregate and analyze relevant security and operational data to understand the organizations security posture, quantify business risk, and make informed decisions that support organizational objectives while protecting critical information. Organizations will be able to use these tools to augment and automate information sharing activities to collaborate with partners to identify and mitigate threats. Other automation tools will be able to integrate with these capabilities to enforce policies based on human decisions to harden systems, prevent misuse and reduce the overall attack surface. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 3, 2013. Waltermire Expires January 3, 2013 [Page 1] Internet-Draft SACM Use Cases July 2012 Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. UC1: Assessment and Enforcement of Acceptable State . . . 4 3.2. UC2: Behavioral Monitoring and Enforcement . . . . . . . . 5 3.3. UC3: Security Control Verification and Monitoring . . . . 6 3.4. UC4: Secure Exchange of Governance, Risk and Compliance (GRC) Information . . . . . . . . . . . . . . . 6 3.5. UC5: Automated Forensics Investigation . . . . . . . . . . 7 4. Functional Capabillities . . . . . . . . . . . . . . . . . . . 8 4.1. Functional Capability 1 . . . . . . . . . . . . . . . . . 8 4.2. Functional Capability n . . . . . . . . . . . . . . . . . 8 5. Functional Components . . . . . . . . . . . . . . . . . . . . 8 6. Data Exchange Models and Communications Protocols . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 Appendix A. Additional Stuff . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 Waltermire Expires January 3, 2013 [Page 2] Internet-Draft SACM Use Cases July 2012 1. Introduction This document addresses foundational use cases in security automation. Portions of these use cases may be considered when establishing a charter for the Security Automation and Continuous Monitoring (SACM) working group within the IETF. This working group will address a portion of the standards needed to define an interoperable, automation infrastructure required to support timely, accurate and actionable situational awareness over an organization's IT systems. This document enumerates use cases and break down related concepts that cross many IT security information domains. Sections [...] of this document focus on: Defining the key concepts and terminology used within the document providing a common frame of reference; Identifying foundational use cases that represent classes of stakeholders, goals, and usage scenarios; A set of derived functional capabilities and associated requirements that are needed to support the use cases; A break down of architectural components that address one or more functional capabilities that can be used in various combinations to support the use cases; and An inventory of existing, emerging, and needed data exchange models and communications protocols that are required to support interoperability between architectural components. The standards identified in this document provide a foundation for creating interoperable automation tools and continuous monitoring solutions that provide visibility into the state of assets, user activities, and network behavior. Stakeholders will be able to use these tools to aggregate and analyze relevant security and operational data to understand the organizations security posture, quantify business risk, and make informed decisions that support organizational objectives while protecting critical information. Organizations will be able to use these tools to augment and automate information sharing activities to collaborate with partners to identify and mitigate threats. Other automation tools will be able to integrate with these capabilities to enforce policies based on human decisions to harden systems, prevent misuse and reduce the overall attack surface. Waltermire Expires January 3, 2013 [Page 3] Internet-Draft SACM Use Cases July 2012 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Key Concepts Define/reference the major concepts included in this document. 3. Use Cases Describe use cases, one per sub-section. Things to consider including (but not limited to): o Usage scenarios (e.g. Security Control Verification, Endpoint Enforcement, Incident Detection, Forensic Investigation, etc.) o Information Domains (e.g. configuration, vulnerability, digital events, etc.) o Characteristics of the information used (e.g. real-time/periodic, static/dynamic, etc.) 3.1. UC1: Assessment and Enforcement of Acceptable State Controlling access to networks and services based on the assessment and analysis of host and/or network state based on machine processable content. Possible "things" that are being measured: o Asset information o System configuration o System vulnerabilities o System weaknesses o Semi-automated human interrogation methods to assess non- automatable, technical controls Possible desired outcomes to address: Waltermire Expires January 3, 2013 [Page 4] Internet-Draft SACM Use Cases July 2012 o User/system is allowed access to network resources o User/system is denied access to network resources * Potential mitigation actions are taken Possible other things to address: o In this and subsequent sections, document how this work is related to Network Endpoint Assessment (nea) working group. o Relevant processes, technologies and techniques. 3.2. UC2: Behavioral Monitoring and Enforcement Controlling access to networks and services based on the detection and analysis of host and/or user behavior using automatable information from various sources. Possible "things" that are being measured: o System configuration o System vulnerabilities o Network events o User/host behavior Possible desired outcomes to address: o Change in state is recorded and reported o User/system activity is recorded and reported o User/system access is terminated or altered Possible other things to address: o In this and subsequent sections, document how this work is related to Network Endpoint Assessment (nea) working group. o Discuss how this could potentially be related to the IP Flow Information Export (ipfix) working group. Basically leveraging Netflow to detect network behavior. This information could be received from what the MILE WG is doing with incident response. (see UC5 and UC4) Waltermire Expires January 3, 2013 [Page 5] Internet-Draft SACM Use Cases July 2012 o Relevant processes, technologies and techniques. 3.3. UC3: Security Control Verification and Monitoring Continuous assessment of the implementation and effectiveness of security controls based on machine processable content. Possible "things" that are being measured: o Compliance to organizationally defined/required controls * System configuration * System vulnerabilities * Network events * Semi-automated human interrogation methods to assess non- technical controls o Deviations from expected state Possible desired outcomes to address: o Compliance or non-compliance is recorded and reported Possible other things to address: o Indicate the relationship to UC1 and UC2. These use cases provide some of that data needed to support this use case. o Relevant processes, technologies and techniques. 3.4. UC4: Secure Exchange of Governance, Risk and Compliance (GRC) Information Sharing security and/or operationally relevant information within and across trust boundaries using secure, automated communication channels and formats. Possible "things" that are being measured: o ??? Possible desired outcomes to address: o Combining results from UC1-UC3, a report to an organizational authority is generated, including relevant data pertaining to the Waltermire Expires January 3, 2013 [Page 6] Internet-Draft SACM Use Cases July 2012 user activities, potentially along with the aggregated data from other user activities. o Potential sharing of risk and/or threat behavioral information with partners as well as reference data and content like USGCB, NVD, IAVM, and machine-readable US-CERT alerts o Outcome of UC4 informs back through UC1-UC3, such as updates to policies, adjusted configurations, new patch data, etc. Possible other things to address: o Indicate the relationship of this use case to UC3 and UC5. This use case supports requests for and reporting of information generated by UC3 and UC5. o Be sure to incorporate Incident/Security Event Exchange (UC5). o Document how this use case supports methods to combine data sets to generate reports that would be shared between parties. This is a touch point with the MILE GRC-Exchange work. Establish the use cases for the exchange. In the following sections, discuss additional work that may be needed to tie these pieces together o Discuss the use of content repositories in support of information exchange. o Relevant processes, technologies and techniques. 3.5. UC5: Automated Forensics Investigation Remote and/or local collection of organizational, network, and/or host information for the purpose of incident investigation and response. Possible "things" that are being measured: o Scope and impact of security incident Possible desired outcomes to address: o Identify the need for additional data collection from UC1-UC3 based on gaps in information currently collected o Can be informed by UC4, such as shared risk/threat information o Alteration to acceptable system state requirements necessary for UC1-UC2 Waltermire Expires January 3, 2013 [Page 7] Internet-Draft SACM Use Cases July 2012 o Identify the need for additional or altered controls in UC3 Possible other things to address: o Relevant processes, technologies and techniques. 4. Functional Capabillities Decompose the functional capabilities needed to support the use cases, one per sub-section. Cross reference the use case dependencies where they exist. Things to consider including (but not limited to): o Information Views/Reports (e.g. security posture, compliance, control effectiveness) o Data Collection (e.g. configuration state, software inventory, user and network behavior) o Reference Information Formats (e.g. control catalogs, configuration baselines, malware characteristics, vulnerability data) 4.1. Functional Capability 1 Describe the first capability. 4.2. Functional Capability n Describe the n capability. 5. Functional Components Describe the abstract functional components needed to provide the capabilities described in the previous section. Describe any relationships between the components and how they can be composed to address functional capabilities. (this might be better defined in the previous section.) Things to consider including (but not limited to): o Topologies o Federation Strategy Waltermire Expires January 3, 2013 [Page 8] Internet-Draft SACM Use Cases July 2012 6. Data Exchange Models and Communications Protocols Document where existing work exists, what is currently defined by SDOs, and any gaps that should be addressed. Point to existing event, incident and network management standards when available. Describe emerging efforts that may be used for the creation of new standards. For gaps provide insight into what would be a good fit for SACM or another IETF working groups. This will help us to identify what is needed for SACM to be successful. This section will help determine which of the specifications can be normatively referenced and what needs to be addressed in the IETF. This should help us determine any protocol or guidance documentation we will need to generate to support the described use cases. Things to address: For IETF related efforts, discuss work in NEA and MILE. Address SNMP, NetConf and other efforts as needed. Reference any Security Automation work that is applicable. 7. IANA Considerations This memo includes no request to IANA. All drafts are required to have an IANA considerations section (see the update of RFC 2434 [I-D.narten-iana-considerations-rfc2434bis] for a guide). If the draft does not require IANA to do anything, the section contains an explicit statement that this is the case (as above). If there are no requirements for IANA, the section will be removed during conversion into an RFC by the RFC Editor. 8. Security Considerations All drafts are required to have a security considerations section. See RFC 3552 [RFC3552] for a guide. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Waltermire Expires January 3, 2013 [Page 9] Internet-Draft SACM Use Cases July 2012 [min_ref] authSurName, authInitials., "Minimal Reference", 2006. 9.2. Informative References [I-D.narten-iana-considerations-rfc2434bis] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", draft-narten-iana-considerations-rfc2434bis-09 (work in progress), March 2008. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003. Appendix A. Additional Stuff This becomes an Appendix if needed. Author's Address David Waltermire (editor) National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 USA Phone: Email: david.waltermire@nist.gov Waltermire Expires January 3, 2013 [Page 10]