draft-ietf-sacm-terminology-09.txt   draft-ietf-sacm-terminology-10.txt 
SACM Working Group H. Birkholz SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT Internet-Draft Fraunhofer SIT
Intended status: Informational J. Lu Intended status: Informational J. Lu
Expires: September 22, 2016 Oracle Corporation Expires: January 9, 2017 Oracle Corporation
N. Cam-Winget N. Cam-Winget
Cisco Systems Cisco Systems
March 21, 2016 July 08, 2016
Secure Automation and Continuous Monitoring (SACM) Terminology Secure Automation and Continuous Monitoring (SACM) Terminology
draft-ietf-sacm-terminology-09 draft-ietf-sacm-terminology-10
Abstract Abstract
This memo documents terminology used in the documents produced by This memo documents terminology used in the documents produced by
SACM (Security Automation and Continuous Monitoring). SACM (Security Automation and Continuous Monitoring).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 22, 2016. This Internet-Draft will expire on January 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 4. Security Considerations . . . . . . . . . . . . . . . . . . . 17
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 15 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 20
8. Informative References . . . . . . . . . . . . . . . . . . . 17 8. Informative References . . . . . . . . . . . . . . . . . . . 21
Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 17 Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Our goal with this document is to improve our agreement on the Our goal with this document is to improve our agreement on the
terminology used in documents produced by the IETF Working Group for terminology used in documents produced by the IETF Working Group for
Security Automation and Continuous Monitoring. Agreeing on Security Automation and Continuous Monitoring. Agreeing on
terminology should help reach consensus on which problems we're terminology should help reach consensus on which problems we're
trying to solve, and propose solutions and decide which ones to use. trying to solve, and propose solutions and decide which ones to use.
2. Terms and Definitions 2. Terms and Definitions
skipping to change at page 3, line 33 skipping to change at page 3, line 33
Authorization: Defined in [RFC4949] as "an approval that is granted Authorization: Defined in [RFC4949] as "an approval that is granted
to a system entity to access a system resource." to a system entity to access a system resource."
Broker: A broker is a specific controller type that contains control Broker: A broker is a specific controller type that contains control
plane functions to provide and/or connect services on behalf of plane functions to provide and/or connect services on behalf of
other SACM components via interfaces on the control plane. A other SACM components via interfaces on the control plane. A
broker may provide, for example, authorization services and find, broker may provide, for example, authorization services and find,
upon request, SACM components providing requested services. upon request, SACM components providing requested services.
Capability: The extent of an SACM component's ability enabled by the Capability: In [I-D.ietf-i2nsf-terminology] a capability "defines a
functions it is composed of. Capabilities are propagated by a set of features that are available from a managed entity.
SACM component and can be discovered by or negotiated with other Examples of "managed entities" are NSFs and Controllers, where NSF
SACM components. For example, the capability of a SACM Provider Capabilities and Controller Capabilities define functionality of
may be to provide endpoint management data, or only a subset of an NSF and a Controller that may, but do not have to, be used,
that data. respectively. All Capabilities are announced through the
Registration Interface."
In the context of SACM, the extent of a SACM component's ability
is enabled by the functions it is composed of. Capabilities are
announced by a SACM component via the SACM component registration
task and can be discovered by or negotiated with other SACM
components. For example, the capability of a SACM Provider may be
to provide endpoint management data, or only a subset of that
data.
Collection Result: Information about a target endpoint that is Collection Result: Information about a target endpoint that is
produced by a collector conducting a collection task. A produced by a collector conducting a collection task. A
collection result is composed of one or more endpoint attributes. collection result is composed of one or more endpoint attributes.
Collection Task: The task by which endpoint attributes and/or Collection Task: The task by which endpoint attributes and/or
corresponding attribute values about a target endpoint are corresponding attribute values about a target endpoint are
collected. There are three types of collection tasks, each collected. The collection tasks are targeted at specific target
requiring an appropriate set of functions to be included in the endpoints and therefore are targeted tasks.
SACM component conducting the collection task:
There are three types of frequency collection tasks can be
conducted with:
ad-hoc, e.g. triggered by a specific event or a query
scheduled, e.g. in regular intervals, such as every minute or
weekly
continuously, e.g. a network behavior observation
There are three types of collection methods, each requiring an
appropriate set of functions to be included in the SACM component
conducting the collection task:
Self-Reporting: A SACM component located on the target endpoint Self-Reporting: A SACM component located on the target endpoint
itself conducts the collection task. itself conducts the collection task.
Remote-Acquisition: A SACM component located on an Endpoint Remote-Acquisition: A SACM component located on an Endpoint
different from the target endpoint conducts the collection task different from the target endpoint conducts the collection task
via interfaces available on the target endpoint, e.g. SNMP/ via interfaces available on the target endpoint, e.g. SNMP/
NETCONF or WMI. NETCONF or WMI.
Behavior-Observation: A SACM component located on an Endpoint Behavior-Observation: A SACM component located on an Endpoint
skipping to change at page 4, line 23 skipping to change at page 4, line 45
via interpretation of that network traffic. via interpretation of that network traffic.
Collector: A piece of software that acquires information about one Collector: A piece of software that acquires information about one
or more target endpoints by conducting collection tasks. A or more target endpoints by conducting collection tasks. A
collector provides acquired information to SACM components in the collector provides acquired information to SACM components in the
form of collection results. A SACM component that consumes form of collection results. A SACM component that consumes
collection results may take on the role of a provider and publish collection results may take on the role of a provider and publish
the collection results in a SACM domain. (TBD: A collector may the collection results in a SACM domain. (TBD: A collector may
not be a SACM component and therefore not part of a SACM domain). not be a SACM component and therefore not part of a SACM domain).
Configuration Drift: The discrepancy of endpoint attributes
representing the actual composition of a target endpoint (is-
state) and its intended composition (should-state) in the scope of
a valid target endpoint composition (could-state) due to
continuous alteration of a target endpoint's composition over
time. Configuration drift exists for both hardware components and
software components. Typically, the frequency and scale of
configuration drift of software components is significantly higher
than the configuration drift of hardware components.
Consumer: A consumer is a SACM role that is assigned to a SACM Consumer: A consumer is a SACM role that is assigned to a SACM
component that contains functions to receive information from component that contains functions to receive information from
other SACM components. other SACM components.
Control Plane: Typically used as a term in the context of routing, Control Plane: Typically used as a term in the context of routing,
e.g. [RFC6192]. In the context of SACM, the control plane is an e.g. [RFC6192]. In the context of SACM, the control plane is an
architectural component providing common control functions to all architectural component providing common control functions to all
SACM components, including authentication, authorization, SACM components, including authentication, authorization,
capability discovery or negotiation. The control plane capability discovery or negotiation. The control plane
orchestrates the flow on the data plane according to guidance and/ orchestrates the flow on the data plane according to guidance and/
skipping to change at page 4, line 48 skipping to change at page 5, line 32
component containing control plane functions that manage and component containing control plane functions that manage and
facilitate information sharing or execute on security functions. facilitate information sharing or execute on security functions.
There are three types of SACM controllers: Broker, Proxy, and There are three types of SACM controllers: Broker, Proxy, and
Repository. Depending on its type, a controller can also contain Repository. Depending on its type, a controller can also contain
functions that have interfaces on the data plane. functions that have interfaces on the data plane.
Data Confidentiality: Defined in [RFC4949] as "the property that Data Confidentiality: Defined in [RFC4949] as "the property that
data is not disclosed to system entities unless they have been data is not disclosed to system entities unless they have been
authorized to know the data." authorized to know the data."
Data In Motion: Data that is being transported via a network. Data
in motion requires a data model to encode data in order to be
transported. Typically, data in motion is serialized
(marshalling) into a transport encoding by a provider of
information and deserialized (unmarshalling) by a consumer of
information.
SACM architecture and corresponding models focus on data in
motion.
Data At Rest: Data that is stored in a repository. Data at rest
requires a data model to encode data in order to be stored. In
the context of SACM, data at rest located on a SACM component can
be provided to other SACM components via discoverable
capabilities.
In the context of SACM, data models for data at rest are out of
scope.
Data Integrity: Defined in [RFC4949] as "the property that data has Data Integrity: Defined in [RFC4949] as "the property that data has
not been changed, destroyed, or lost in an unauthorized or not been changed, destroyed, or lost in an unauthorized or
accidental manner." accidental manner."
Data Origin: One or more properties that enable a SACM component to Data Origin: One or more properties that enable a SACM component to
identify the SACM component that initially acquired or produced identify the SACM component that initially acquired or produced
data about a (target) endpoint (e.g. via collection from a data data about a (target) endpoint (e.g. via collection from a data
source). source).
Data Plane: Typically used as a term in the context of routing (and Data Plane: Typically used as a term in the context of routing (and
skipping to change at page 5, line 41 skipping to change at page 6, line 45
potentially an IP address once on the network. This includes: potentially an IP address once on the network. This includes:
laptops, desktops, servers, cell phones, or any device that may laptops, desktops, servers, cell phones, or any device that may
have an IP address." have an IP address."
To further clarify the [RFC5209] definition, an endpoint is any To further clarify the [RFC5209] definition, an endpoint is any
physical or virtual device that may have a network address. Note physical or virtual device that may have a network address. Note
that, network infrastructure devices (e.g. switches, routers, that, network infrastructure devices (e.g. switches, routers,
firewalls), which fit the definition, are also considered to be firewalls), which fit the definition, are also considered to be
endpoints within this document. endpoints within this document.
Physical endpoints are always composites that are composed of
hardware components and software components. Virtual endpoints
are composed entirely of software components and rely on software
components that provide functions equivalent to hardware
components.
The SACM architecture differentiates two essential categories of The SACM architecture differentiates two essential categories of
endpoints: Endpoints whose security posture is intended to be endpoints: Endpoints whose security posture is intended to be
assessed (target endpoints) and endpoints that are specifically assessed (target endpoints) and endpoints that are specifically
excluded from endpoint posture assessment (excluded endpoints). excluded from endpoint posture assessment (excluded endpoints).
Based on the definition of an asset, an endpoint is a type of Based on the definition of an asset, an endpoint is a type of
asset. asset.
Endpoint Attribute: In the context of SACM, endpoint attributes are Endpoint Attribute: In the context of SACM, endpoint attributes are
information elements that describe a characteristic of a target information elements that describe a characteristic of a target
skipping to change at page 6, line 21 skipping to change at page 7, line 31
endpoint profile that is required as guidance for the tasks of endpoint profile that is required as guidance for the tasks of
endpoint classification or posture assessment. endpoint classification or posture assessment.
Endpoint Classification: The task by which a discovered target Endpoint Classification: The task by which a discovered target
endpoint is classified. Endpoint classification requires guidance endpoint is classified. Endpoint classification requires guidance
in the form of an endpoint profile, discovery results and in the form of an endpoint profile, discovery results and
potentially collection results. Types, classes or the potentially collection results. Types, classes or the
characteristics of an individual target endpoint are defined via characteristics of an individual target endpoint are defined via
endpoint profiles. endpoint profiles.
Endpoint Management Capability: An enterprise IT capability managing
endpoint identity, endpoint information, and associated metadata
on an ongoing basis.
Evaluation Task: The task by which endpoint attributes are Evaluation Task: The task by which endpoint attributes are
evaluated. evaluated.
Evaluation Result: The resulting value from having evaluated a set Evaluation Result: The resulting value from having evaluated a set
of posture attributes. of posture attributes.
Excluded Endpoint: A specific designation, which is assigned to an Excluded Endpoint: A specific designation, which is assigned to an
endpoint that is not supposed to be the subject of a collection endpoint that is not supposed to be the subject of a collection
task (and therefore is not a target endpoint). Typically but not task (and therefore is not a target endpoint). Typically but not
necessarily, endpoints that contain a SACM component (and are necessarily, endpoints that contain a SACM component (and are
skipping to change at page 7, line 7 skipping to change at page 8, line 20
SACM Function: A behavioral aspect or capacity of a particular SACM SACM Function: A behavioral aspect or capacity of a particular SACM
component, which belies that SACM component's purpose. For component, which belies that SACM component's purpose. For
example, a SACM function with interfaces on the control plane can example, a SACM function with interfaces on the control plane can
provide a brokering function to other SACM components. Via data provide a brokering function to other SACM components. Via data
plane interfaces, a function can act as a provider and/or as a plane interfaces, a function can act as a provider and/or as a
consumer of information. SACM functions can be propagated as the consumer of information. SACM functions can be propagated as the
capabilities of a SACM component and can be discovered by or capabilities of a SACM component and can be discovered by or
negotiated with other SACM components. negotiated with other SACM components.
Guidance: Input to processes and tasks, such as collecting, Guidance: Input instructions to processes and tasks, such as
assessing or reporting. Guidance influences the behavior of a collecting, assessing or reporting. Guidance influences the
SACM component and is considered content of the management plane. behavior of a SACM component and is considered content of the
Guidance can be manually or automatically generated or provided. management plane. Guidance can be manually or automatically
Typically, the tasks that provide guidance to SACM components have generated or provided. Typically, the tasks that provide guidance
a low-frequency and tend to be be sporadic. A prominent example to SACM components have a low-frequency and tend to be be
of guidance are target endpoint profiles, but guidance can have sporadic. A prominent example of guidance are target endpoint
many forms, including: profiles, but guidance can have many forms, including:
Configuration, e.g. a SACM component's name, or a CMDB's IPv6 Configuration, e.g. a SACM component's name, or a CMDB's IPv6
address. address.
Profiles, e.g. a set of expected states for network behavior Profiles, e.g. a set of expected states for network behavior
associated with target endpoints employed by specific users. associated with target endpoints employed by specific users.
Policies, e.g. an interval to refresh the registration of a SACM Policies, e.g. an interval to refresh the registration of a SACM
component, or a list of required capabilities for SACM components component, or a list of required capabilities for SACM components
in a specific location. in a specific location.
Hardware Component: Hardware components are the distinguishable
physical components that compose an endpoint. The composition of
an endpoint can be changed over time by adding or removing
hardware components. In essence, every physical endpoint is
potentially a composite of multiple hardware components, typically
resulting in a hierarchical composition of hardware components.
The composition of hardware components is based on interconnects
provided by specific hardware types (e.g. mainboard is a hardware
type that provides local busses as an interconnect). In general,
a hardware component can be distinguished by its serial number.
Occasionally, hardware components are refered to as power sucking
aliens.
Hardware Inventory: The list of hardware components that compose a
specific endpoint representing its hardware configuration.
Hardware Type: Hardware types define specific and distinguishable
categories of hardware components that can be part of endpoints,
e.g. CPU or 802.11p interface. Typically, hardware types can be
distinguished by their vendor assigned names, names of standards
used, or a model name.
Information Model: An information model is an abstract Information Model: An information model is an abstract
representation of data, their properties, relationships between representation of data, their properties, relationships between
data and the operations that can be performed on the data. While data and the operations that can be performed on the data. While
there is some overlap with a data model, [RFC3444] distinguishes there is some overlap with a data model, [RFC3444] distinguishes
an information model as being protocol and implementation neutral an information model as being protocol and implementation neutral
whereas a data model would provide such details. The purpose of whereas a data model would provide such details. The purpose of
the SACM information model is to ensure interoperability between the SACM information model is to ensure interoperability between
SACM data models (that are used as transport encoding) and to SACM data models (that are used as transport encoding) and to
provide a standardized set of information elements for provide a standardized set of information elements for
communication between SACM components. communication between SACM components.
skipping to change at page 9, line 34 skipping to change at page 11, line 22
in the SACM architecture. in the SACM architecture.
Repository: A repository is a specific controller type that contains Repository: A repository is a specific controller type that contains
functions to consume, store and provide information of a functions to consume, store and provide information of a
particular kind - typically data transported on the data plane, particular kind - typically data transported on the data plane,
but potentially also data and metadata from the control and but potentially also data and metadata from the control and
management plane. A single repository may provide the functions management plane. A single repository may provide the functions
of more than one specific repository type (i.e. configuration of more than one specific repository type (i.e. configuration
baseline repository, assessment results repository, etc.) baseline repository, assessment results repository, etc.)
SACM Role: SACM roles are associated with SACM components and are SACM Component: A component is defined in
defined by the set of functions and interfaces a SACM component [I-D.ietf-i2nsf-terminology] as "an encapsulation of software that
includes. There are three SACM roles: provider, consumer, and communicates using Interfaces. A Component may be implemented by
controller. The roles associated with a SACM component are hardware and/or Software, and be represented using a set of
determined by the purpose of the functions and corresponding classes. In general, a Component encapsulates a set of data
interfaces the SACM component is composed of. structures as well as a set of algorithms that implement the
functions that it provides."
SACM Component: A set of SACM functions composes a SACM component. In the context of SACM, a set of SACM functions composes a SACM
A SACM component conducts SACM tasks, acting on control plane, component. A SACM component conducts SACM tasks, acting on
data plane and/or management plane via corresponding SACM control plane, data plane and/or management plane via
interfaces. SACM defines a set of standard components (e.g. a corresponding SACM interfaces. SACM defines a set of standard
collector, a broker, or a data store). A SACM component contains components (e.g. a collector, a broker, or a data store). A SACM
at least a basic set of control plane functions and can contain component contains at least a basic set of control plane functions
data plane and management plane functions. A SACM component and can contain data plane and management plane functions. A SACM
residing on an endpoint assigns one or more SACM roles to the component residing on an endpoint assigns one or more SACM roles
corresponding endpoint due to the SACM functions it is composed to the corresponding endpoint due to the SACM functions it is
of. A SACM component "resides on" an endpoint and an endpoint composed of. A SACM component "resides on" an endpoint and an
"contains" a SACM component, correspondingly. For example, a SACM endpoint "contains" a SACM component, correspondingly. For
component that is composed solely of functions that provide example, a SACM component that is composed solely of functions
information would only take on the role of a provider. that provide information would only take on the role of a
provider.
SACM Component Discovery: The function by which a SACM component SACM Component Discovery: The task of brokering appropriate SACM
(e.g. by role, capabilities, or data provided/consumed) can be components according to their capabilities or roles on reques.
discovered.
Input: Query
Output: a list of SACM components including metadata
SACM Domain: Endpoints that include a SACM component compose a SACM SACM Domain: Endpoints that include a SACM component compose a SACM
domain. (To be revised, additional definition content TBD, domain. (To be revised, additional definition content TBD,
possible dependencies to SACM architecture) possible dependencies to SACM architecture)
SACM Interface: An interface is defined in
[I-D.ietf-i2nsf-terminology] as "A set of operations one object
knows it can invoke on, and expose to, another object. This
decouples the implementation of the operation from its
specification. An interface is a subset of all operations that a
given object implements. The same object may have multiple types
of interfaces to serve different purposes."
In the context of SACM, SACM Funktions provide SACM Interfaces on
the management, control, or data plane. Operations a SACM
Interface provides are based on corresponding data model defined
by SACM. SACM Interfaces are used for communication between SACM
components.
SACM Role: A role is defined in [I-D.ietf-i2nsf-terminology] as "an
abstraction of a Component that models context-specific views and
responsibilities of an object as separate role objects that can be
statically or dynamically attached to (and removed from) the
object that the role object describes. This provides three
important benefits. First, it enables different behavior to be
supported by the same Component for different contexts. Second,
it enables the behavior of a Component to be adjusted dynamically
(i.e., at runtime, in response)to changes in context, by using one
or more Roles to define the behavior desired for each context.
Third, it decouples the Roles of a Component from the Applications
that use that Component."
In the context of SACM, SACM roles are associated with SACM
components and are defined by the set of functions and interfaces
a SACM component includes. There are three SACM roles: provider,
consumer, and controller. The roles associated with a SACM
component are determined by the purpose of the SACM functions and
corresponding SACM interfaces the SACM component is composed of.
Security Automation: The process of which security alerts can be Security Automation: The process of which security alerts can be
automated through the use of different tools to monitor, evaluate automated through the use of different tools to monitor, evaluate
and analyze endpoint and network traffic for the purposes of and analyze endpoint and network traffic for the purposes of
detecting misconfigurations, misbehaviors or threats. detecting misconfigurations, misbehaviors or threats.
Software Package: A generic software package (e.g. a text editor). Software Package: A generic software package (e.g. a text editor).
Software Component: A software package installed on an endpoint, Software Component: A software package installed on an endpoint,
including a unique serial number if present (e.g. a text editor including a unique serial number if present (e.g. a text editor
associated with a unique license key). associated with a unique license key).
skipping to change at page 11, line 12 skipping to change at page 13, line 39
(even if it is not actively under assessment at all times) or (even if it is not actively under assessment at all times) or
"endpoint of interest". Every endpoint that is not specifically "endpoint of interest". Every endpoint that is not specifically
designated as an excluded endpoint is a target endpoint. A target designated as an excluded endpoint is a target endpoint. A target
endpoint is not part of a SACM domain unless it contains a SACM endpoint is not part of a SACM domain unless it contains a SACM
component (e.g. a SACM component that publishes collection results component (e.g. a SACM component that publishes collection results
coming from an internal collector). coming from an internal collector).
A target endpoint is similar to a device that is a Target of A target endpoint is similar to a device that is a Target of
Evaluation (TOE) as defined in Common Criteria. Evaluation (TOE) as defined in Common Criteria.
Target Endpoint Discovery: The function by which target endpoints Target Endpoint Characterization Record: A set of endpoint
can be discovered. The output of target endpoint discovery attributes about a target endpoint that was encountered in a SACM
typically includes identifying endpoint attributes. domain, which are associated with a target endpoint by being
included in the corresponding record. A characterization record
is intended to be a representation of an endpoint. It cannot be
assured that a record distinctly represents a single target
endpoint unless a set of one or more endpoint attributes that
compose a unique set of identifying endpoint attributes are
included in the record. Otherwise, the set of identifying
attributes included in a record can match more than one target
endpoints, which are - in consequence - indistinguishable to a
SACM domain until more qualifying endpoint attributes can be
acquired and added to the record. A characterization record is
maintained over time in order to assert that acquired endpoint
attributes are either about an endpoint that was encountered
before or an endpoint that has not been encountered before in a
SACM domain. A characterization record can include, for example,
acquired configuration, state or observed behavior of a specific
target endpoint. Multiple and even conflicting instances of this
information can be included in a characterization record by using
timestamps and/or data origins to differentiate them. The
endpoint attributes included in a characterization record can be
used to re-identify a distinct target endpoint over time. Classes
or profiles can be associated with a characterization record via
the Classification Task in order to guide collection, evaluation
or remediation tasks.
Target Endpoint Identifier: The target endpoint discovery process Target Endpoint Characterization Task: An ongoing task of
and collection tasks targeted at target endpoints can result in a continuously adding acquired endpoint attributes to a
set of identifying endpoint attributes. This set of identifying corresponding record. The TE characterization task manages the
endpoint attributes is used as a target endpoint identifier representation of encountered target endpoints in the SACM domain
referring to a specific target endpoint. Depending on the in the form of characterization records. For example, the output
available identifying attributes this reference can be ambiguous of a target endpoint discovery task or a collection task can be
and is a "best-effort" mechanism. Every distinct set of processed by the characterization task and added to the record.
identifying endpoint attributes can be associated with a unique The TE characterization Task also manages these representations of
target endpoint label. target endpoints encountered in the SACM domain by splitting or
merging the corresponding records as new or more refined endpoint
attributes become available.
Input: discovered target endpoint attributes, endpoint attribute
collection, existing characterization records
Output: target endpoint characterization records
Target Endpoint Classification Task: The task of associating a class
from an extensible list of classes with an endpoint
characterization record. TE classes function as guidance for
collection, evaluation, remediation and security posture
assessment in general.
Input: endpoint characterization records (without classification),
guidance (how to classify a record)
Output: endpoint characterization records (with classification)
Target Endpoint Discovery Task: The ongoing task of detecting
previously unknown interaction of a potential target endpoint in
the SACM domain. TE Discovery is not directly targeted at a
specific target endpoint and therefore an un-targeted task. SACM
Components conducting the discovery task as a part of their
function are typically distributed and located, for example, on
infrastructure components or collect from those remotely via
appropriate interfaces. Examples of infrastructure components
that are of interest to the discovery task include routers,
switches, VM hosting or VM managing components, AAA servers, or
servers handling dynamic address distribution.
Input: endpoint attributes acquired via local or remote interfaces
Output: endpoint attributes including metadata such as data source
or data origin
Target Endpoint Identifier: The target endpoint discovery task and
the collection tasks can result in a set of identifying endpoint
attributes added to a corresponding Characterization Record. This
subset of the endpoint attributes included in the record is used
as a target endpoint identifier, by which a specific target
endpoint can be referenced. Depending on the available
identifying attributes, this reference can be ambiguous and is a
"best-effort" mechanism. Every distinct set of identifying
endpoint attributes can be associated with a target endpoint label
that is unique in a SACM domain.
Target Endpoint Label: An artificially created id that references a Target Endpoint Label: An artificially created id that references a
distinct set of identifying attributes (Target Endpoint distinct set of identifying attributes (Target Endpoint
Identifier). A target endpoint label is unique in a SACM domain Identifier). A target endpoint label is unique in a SACM domain
and created by a SACM component that contains an appropriate and created by a SACM component that provides the appropriate
function. function as a capability.
Target Endpoint Profile: A bundle of expected or desired Target Endpoint Profile: A bundle of expected or desired
configurations and states (typically a composition of endpoint configurations and states (typically a composition of endpoint
attribute value pairs) that can be associated with a target attribute value pairs) that can be associated with a target
endpoint. The corresponding task by which the association with a endpoint. The corresponding task by which the association with a
target endpoint takes places is the endpoint classification. The target endpoint takes places is the endpoint classification. The
task by which a endpoint profile is created is the endpoint task by which an endpoint profile is created is the endpoint
characterization. A type or class of target endpoints is defined characterization. A type or class of target endpoints is defined
within a target endpoint profile, e.g. printer, smartphone, or an within a target endpoint profile, e.g. printer, smartphone, or an
office PC. office PC.
(SACM) Task: [TBD conflicts in definitions of specific tasks] A SACM SACM Task: A SACM task is conducted by one or more SACM functions
task is conducted by one or more SACM functions that reside on a that reside on a SACM component (e.g. a collection task or
SACM component (e.g. a collection task or endpoint endpoint characterization). A SACM task can be triggered by other
characterization). A SACM task can be triggered by other
operations or functions (e.g. a query from another SACM component operations or functions (e.g. a query from another SACM component
or an unsolicited push due to a subscription on the data plane). or an unsolicited push on the data plane due to an ongoing
A task is part of a SACM process chain. A task starts at a given subscription). A task is part of a SACM process chain. A task
point in time and ends in a deterministic state. With the starts at a given point in time and ends in a deterministic state.
exception of a collection task, a SACM task consumes SACM content. With the exception of a collection task, a SACM task consumes SACM
The output of a task is a result that can be provided (e.g. statements provided by other SACM components. The output of a
task is a result that can be provided (e.g. published) on the data
plane. There following tasks are defined by SACM:
published) on the data plane. There are six fundamental tasks Target Endpoint Discovery
defined in SACM:
Asset Classification: Map the assets on the target endpoints to Target Endpoint Characterization
asset classes. This enables identification of the attributes
needed to exchange information pertaining to the target endpoint.
[the label now conflicts with Endpoint Classification]
Attribute Definition: Define the attributes desired to be Target Endpoint Classification
collected from each target endpoint. This is what we want to know
about a target endpoint. For instance, organizations will want to
know what software is installed and its many critical security
attributes such as patch level.
Policy Definition: This is where an organization can express its Collection
policy for acceptable or problematic values of an endpoint
attribute. The expected values of an endpoint attribute are
determined for later comparison against the actual endpoint
attribute values during the evaluation process. Expected values
may include both those values which are good as well as those
values which represent problems, such as vulnerabilities. The
organization can also specify the endpoint attributes that are to
be present for a given target endpoint.
Information Collection: Collect information (attribute values) Evaluation [TBD]
from the target endpoint to populate the endpoint data.
Endpoint Assessment: Evaluate the actual values of the endpoint Information Sharing [TBD]
attributes against those expressed in the policy. (An evaluation
result may become additional endpoint data).
Result Reporting: Report the results of the evaluation for use by SACM Component Discovery
other components. Examples of use of a report would be additional
evaluation, network enforcement, vulnerability detection, and SACM Component Authentication [TBD]
license management.
SACM Component Authorization [TBD]
SACM Component Registration [TBD]
Timestamps : Defined in [RFC4949] as "with respect to a data object, Timestamps : Defined in [RFC4949] as "with respect to a data object,
a label or marking in which is recorded the time (time of day or a label or marking in which is recorded the time (time of day or
other instant of elapsed time) at which the label or marking was other instant of elapsed time) at which the label or marking was
affixed to the data object" and as "with respect to a recorded affixed to the data object" and as "with respect to a recorded
network event, a data field in which is recorded the time (time of network event, a data field in which is recorded the time (time of
day or other instant of elapsed time) at which the event took day or other instant of elapsed time) at which the event took
place.". place.".
This term is used in SACM to describe a recorded point in time at This term is used in SACM to describe a recorded point in time at
which an endpoint attribute is created or updated by a target which an endpoint attribute is created or updated by a target
endpoint and observed, transmitted or processed by a SACM endpoint and observed, transmitted or processed by a SACM
component. Timestamps can be created by target endpoints or SACM component. Timestamps can be created by target endpoints or SACM
components and are associated with endpoint attributes provided or components and are associated with endpoint attributes provided or
consumed by SACM components. Outside of the domain of SACM consumed by SACM components. Outside of the domain of SACM
components the assurance of correctness of time stamps is components the assurance of correctness of time stamps is
typically significantly lower than inside a SACM domain. In typically significantly lower than inside a SACM domain. In
general, it cannot be simply assumed that the source of time a general, it cannot be simply assumed that the source of time a
target endpoint uses is synchronized or trustworthy. target endpoint uses is synchronized or trustworthy.
Vulnerability Assessment: The process of determining whether a set
of endpoints is vulnerable according to the information contained
in the vulnerability description information.
Vulnerability Description Information: Information pertaining to the
existence of a flaw or flaws in software, hardware, and/or
firmware, which could potentially have an adverse impact on
enterprise IT functionality and/or security. Vulnerability
description information should contain enough information to
support vulnerability detection.
Vulnerability Detection Data: A type of guidance extracted from
vulnerability description information that describes the specific
mechanisms of vulnerability detection that is used by an
enterprise's vulnerability management capability to determine if a
vulnerability is present on an endpoint.
Vulnerability Management Capability: An enterprise IT capability
managing endpoint vulnerabilities and associated metadata on an
ongoing basis by ingesting vulnerability description information
and vulnerability detection data, and performing a vulnerability
assessment.
3. IANA Considerations 3. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
4. Security Considerations 4. Security Considerations
This memo documents terminology for security automation. While it is This memo documents terminology for security automation. While it is
about security, it does not affect security. about security, it does not affect security.
5. Acknowledgements 5. Acknowledgements
skipping to change at page 15, line 41 skipping to change at page 19, line 50
o Removed Building Block. o Removed Building Block.
o Major updates to Control Plane, Endpoint Attribute, Expected o Major updates to Control Plane, Endpoint Attribute, Expected
Endpoint State, Information Model, Management Plane. Endpoint State, Information Model, Management Plane.
o Minor updates to Attribute, Capabilities, SACM Function, SACM o Minor updates to Attribute, Capabilities, SACM Function, SACM
Component, Collection Task. Component, Collection Task.
o Moved Asset Characterization to The Attic. o Moved Asset Characterization to The Attic.
Changes from version 09 to version 10:
o Added Configuration Drift, Data in Motion, Data at Rest, Endpoint
Management Capability, Hardware Component, Hardware Inventory,
Hardware Type, SACM Interface, Target Endpoint Characterization
Record, Target Endpoint Characterization Task, Target Endpoint
Classification Task, Target Endpoint Discovery Task, Vulnerability
Description Information, Vulnerability Detection Data,
Vulnerability Management Capability, Vulnerability Assessment
o Added references to i2nsf definitions in Capability, SACM
Component, SACM Interface, SACM Role
o Added i2nsf Terminology I-D Reference
o Major Updates to Endpoint, SACM Task, Target Endpoint Identifier
o Minor Updates to Guidance, SACM Component Discovery, Target
Endpoint Label, Target Endpoint Profile
o Relabled SACM Task
o Removed Target Endpoint Discovery
7. Contributors 7. Contributors
John Strassner
Huawei
Santa Clara, CA
USA
Email: john.sc.strassner@huawei.com
David Waltermire David Waltermire
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, MD 20877 Gaithersburg, MD 20877
USA USA
Email: david.waltermire@nist.gov Email: david.waltermire@nist.gov
Adam W. Montville Adam W. Montville
Center for Internet Security Center for Internet Security
skipping to change at page 16, line 10 skipping to change at page 21, line 4
Email: david.waltermire@nist.gov Email: david.waltermire@nist.gov
Adam W. Montville Adam W. Montville
Center for Internet Security Center for Internet Security
31 Tech Valley Drive 31 Tech Valley Drive
East Greenbush, NY 12061 East Greenbush, NY 12061
USA USA
Email: adam.w.montville@gmail.com Email: adam.w.montville@gmail.com
David Harrington David Harrington
Effective Software Effective Software
50 Harding Rd 50 Harding Rd
Portsmouth, NH 03801 Portsmouth, NH 03801
USA USA
Email: ietfdbh@comcast.net Email: ietfdbh@comcast.net
Nancy Cam-Winget
Cisco Systems
3550 Cisco Way
San Jose, CA 95134
USA
Email: ncamwing@cisco.com
Jarrett Lu
Oracle Corporation
4180 Network Circle
Santa Clara, CA 95054
USA
Email: jarrett.lu@oracle.com
Brian Ford Brian Ford
Lancope Lancope
3650 Brookside Parkway, Suite 500 3650 Brookside Parkway, Suite 500
Alpharetta, GA 30022 Alpharetta, GA 30022
USA USA
Email: bford@lancope.com Email: bford@lancope.com
Merike Kaeo Merike Kaeo
Double Shot Security Double Shot Security
3518 Fremont Avenue North, Suite 363 3518 Fremont Avenue North, Suite 363
Seattle, WA 98103 Seattle, WA 98103
USA USA
Email: merike@doubleshotsecurity.com Email: merike@doubleshotsecurity.com
8. Informative References 8. Informative References
[I-D.ietf-i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., and L. Xia,
"Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-00 (work in
progress), May 2016.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, DOI Information Models and Data Models", RFC 3444,
10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<http://www.rfc-editor.org/info/rfc3444>. <http://www.rfc-editor.org/info/rfc3444>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>. <http://www.rfc-editor.org/info/rfc4949>.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
Tardo, "Network Endpoint Assessment (NEA): Overview and Tardo, "Network Endpoint Assessment (NEA): Overview and
Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008,
<http://www.rfc-editor.org/info/rfc5209>. <http://www.rfc-editor.org/info/rfc5209>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <http://www.rfc-editor.org/info/rfc6192>. March 2011, <http://www.rfc-editor.org/info/rfc6192>.
 End of changes. 38 change blocks. 
125 lines changed or deleted 344 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/