| Network Working Group | D.W. Waltermire, Ed. |
| Internet-Draft | NIST |
| Intended status: Informational | April 11, 2013 |
| Expires: October 13, 2013 |
Security Automation and Continuous Monitoring (SACM) Architecture
draft-waltermire-sacm-architecture-00
This document identifies the architectural components, data flows, and the supporting standards needed to define an interoperable automation infrastructure required to support timely, accurate and actionable situational awareness over an organization's IT systems. This architecture is based on previous use case and requirements analysis. Automation tools implementing the continuous monitoring approach described in this document will utilize this infrastructure together with existing and emerging event, incident and network management standards to provide visibility into the state of assets, user activities and network behavior. Stakeholders will be able to use these tools to aggregate and analyze relevant security and operational data to understand the organizations security posture, quantify business risk, and make informed decisions that support organizational objectives while protecting critical information. Organizations will be able to use these tools to augment and automate information sharing activities to collaborate with partners to identify and mitigate threats. Other automation tools will be able to integrate with these capabilities to enforce policies based on human decisions to harden systems, prevent misuse and reduce the overall attack surface.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document provides an architectural approach for addressing the orchestration, collection and analysis of endpoint posture. This architecture addresses the SACM Architecture milestone defined in the draft SACM charter. The focus of this architecture is to being to define an interoperable, automation infrastructure required to support timely, accurate and actionable situational awareness over an organization's IT systems. This document enumerates components, data flows and the supporting standards needed to achieve this vision.
The architecture identified in this document provides a foundation for creating interoperable automation tools and continuous monitoring solutions that provide visibility into the state of assets, user activities, and network behavior. Stakeholders will be able to use tools based on this architecture to aggregate and analyze relevant security and operational data pertaining to endpoints to understand the organizations security posture and make informed decisions that support organizational objectives while protecting critical information. Organizations will be able to use tools supporting this architecture to augment and automate information sharing activities to collaborate with partners to identify and mitigate threats. Other automation tools will be able to integrate with these capabilities to enforce policies based on human decisions to harden systems, prevent misuse and reduce the overall attack surface.
The architecture diagram in Figure 1 illustrates the overall architecture approach. It identifies the components that participate in the architecture and the data flows (DF) that enable information to be exchanged between them.
+-------------+ +--------------+
| | | |
| Evaluator |<---DF1--->| Content |<---DF1---------+
| | | Repository | |
+-------------+ | | |
^ ^ +--------------+ |
| | ^ |
| | | |
| | DF1 |
| | | |
| | V V
| | +--------------+ +----------+
| | | | | |
| +-------DF2--->| Controller |<---DF2--->| Sensor |
| | | | |
| +--------------+ +----------+
| | |
| | |
| DF3 |
| | |
| V |
| +-----------+ |
| | | |
+--------------DF4---->| Data |<-----DF3-alt-----+
| Storage |
| |
+-----------+
Figure 1
Add in glossary items from use cases?
Reference the SACM use cases document.
This section describes the functional components included in this architecture.
The Controller component is responsible for directing collection activities based on organizational security policy and available relevant metadata. It manages data collection tasks it receives, orchestrating sensors as needed to fulfill the tasks. The nature of the tasks received by the Controller may vary. They may be one-time tasks focused on collecting a single data set, reoccurring tasks that occur an a predefined interval, or real-time tasks that continue to collect information based on events
The controller provides the following functions:
The Controller interacts with other components in this architecture in the following ways:
A repository of security metadata that can be used to drive security-oriented processes (e.g. vulnerability, configuration, asset data, assessment/collection methods). This is long-lived, infrequently changing information that is provided from a variety of external information sources.
The methods used to maintain information in a content repository is currently out of scope.
An upstream component that queries collected state information to perform analysis generating measurements and compliances results.
Responsible for collecting actual system state information (e.g. configurations, software inventory, patch) based on data collection sub-tasks provided by the Controller. It uses data collection instructions provided by the content repository (e.g. SCAP-style assessment content). This could be an agent on an endpoint or a remote collection system with or without privileged access to the endpoint.
An upstream component that receives collected state information. This could be a data repository, an information processor that acts on the provided information or a process that routes information to other sources. This component supports SACM use cases UC2 and UC3.
The following data flows, also called interfaces, describe the nature of specific inter-component communications.
This data flow is used to provide any digital content and supporting metadata that is needed to drive data collection and analysis processes.
The following interactions are supported by this data flow:
This is a control channel that is used to enable dynamic management of the information collected by the Sensor. Data collection tasks containing instruction of what to collect, and potentially how to collect, are exchanged using this data flow. These instructions may point to assessment content stored in the Content Repository.
Used to make collected information available to other "upstream" components that archive the information for future use or perform additional analysis/processing.
Used by the Evaluator and other external components to query previously collected data.
Document where existing work exists, what is currently defined by SDOs, and any gaps that should be addressed. Point to existing standards when available. Describe emerging efforts that may be used for the creation of new standards. For gaps provide insight into what would be a good fit for SACM or another IETF working groups.
This will help us to identify what is needed for SACM to work on. This section will help determine which of the specifications can be normatively referenced and what needs to be addressed in the IETF. This should help us determine any protocol or guidance documentation we will need to generate.
Things to address:
The functional capabilities described in the SACM Use Cases document require a significant number of models to be selected or defined. A "model" in this sense is a logical arrangement of information that may have more than one syntactic binding. For the purpose of this document, only the logical data model is considered. However, where appropriate, example data models that may have well-defined syntactic expressions may be referenced.
Document these.
This memo includes no request to IANA.
All drafts are required to have an IANA considerations section (see RFC 5226 [RFC5226] for a guide). If the draft does not require IANA to do anything, the section contains an explicit statement that this is the case (as above). If there are no requirements for IANA, the section will be removed during conversion into an RFC by the RFC Editor.
All drafts are required to have a security considerations section. See RFC 3552 [RFC3552] for a guide.
The author would like to acknowledge the members of the SACM mailing list for their keen and insightful feedback on the concepts and text within this document.
| [RFC3552] | Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003. |
| [RFC5226] | Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. |
This becomes an Appendix if needed.