A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.

Slides:



Advertisements
Similar presentations
ID-06 Building a User-Driven GEOSS Essential Components of User Management for GEO Tasks.
Advertisements

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
MODELING THE TESTING PROCESS Formal Testing (1.0) Requirements Software Design Risk Data Approved, Debugged, Eng. Tested Code Automated Test Tools Tested.
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 14 The Business Reporting (BR) Process.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC Ed Bellis VP, CISO Orbitz Worldwide
The State of Security Management By Jim Reavis January 2003.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Software Configuration Management (SCM)
SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.
Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.
Vulnerability Assessments
Configuration Management
Software testing standards ISO/IEC and 33063
1 Introducing Reportnet Miruna Badescu. 2 A linear view of Reportnet process.
Talend 5.4 Architecture Adam Pemble Talend Professional Services.
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.
Automated XML Content Data Exchange and Management draft-waltermire-content-repository-00
Learning with a Purpose: Learning Management Systems Patti Holub, Director District Initiatives and Special Projects Miguel Guhlin, Director Instructional.
© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable.
Know the Difference™ ITIL Solution Martin Perlin Marketing Director, Evolven BOOST YOUR ITIL ® INITIATIVES Evolven Comparison assists in many ITIL v3 areas.
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
Statistics New Zealand Classification Management System Andrew Hancock Statistics New Zealand Prepared for 2013 Meeting of the UN Expert Group on International.
Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Automating STIGs: The Transition to CCI and SRG
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
Secure Cloud Solutions Open Government Forum Abu Dhabi April 2014 Karl Chambers CISSP PMP President/CEO Diligent eSecurity International.
Database Administration COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.
National Information Exchange Model Update for the Global Advisory Committee Spring 2008 Meeting April 10, 2008 NIEM Technical Architecture Committee (NTAC)
Synergy of the SCAP Program and IETF Activities BOF
Terminology and Use Cases Status Report David Harrington IETF 88 – Nov Security Automation and Continuous Monitoring WG.
Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
SACM Scope Discussion IETF-92 Meeting March 23, 2015 Dave Waltermire Adam Montville.
Objective: Enable portability and semi-automatic management of applications across clouds regardless of provider platform or infrastructure thus expanding.
Metadata and Meta tag. What is metadata? What does metadata do? Metadata schemes What is meta tag? Meta tag example Table of Content.
Robert Aydelotte ExxonMobil - Upstream Technical Computing 13 May 2004 Standardizing Fluid Property Reporting.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {
Asset Summary Reporting draft-davidson-sacm-asr-00 David Waltermire
Maintaining and Updating Windows Server 2008 Lesson 8.
SACM Vulnerability Assessment Scenario IETF 95 04/05/2016.
1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL
Stephen Banghart Dave Waltermire
Chapter 8 Environments, Alternatives, and Decisions.
Configuration Management
Security Patching.
Service Delivery and Governance
Integrated Cyber October 16-17, 2017
INCH Requirements Glenn Mansfield Keeni Cyber Solutions Inc
Service Delivery and Governance
eXtensible Markup Language
Cloud Application Marketplaces
Service Model Monitoring Cloud Application Marketplaces
Cloud Application Marketplaces
Cloud Application Marketplaces
Cloud Application Marketplaces
Service Delivery and Governance
CVE.
Cloud Application Marketplaces
Understanding Standards Physical Education Higher
Metadata The metadata contains
Module 2B - Data Systems Marco MERENS Nevin MURAD Lima, March 2019
Cloud Application Marketplaces
Presentation transcript:

A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire Presenting for: Harold Booth

What is it? An XML-based data format that enables the exchange of structured information related to vulnerabilities A revision to the current Vulnerability Data Model v2.0 used by the National Vulnerability Database – Feeds downloaded by academia, security tool vendors, industry and other vulnerability databases

What information does it capture? Community and proprietary vulnerability identifiers (e.g. Common Vulnerability and Exposures (CVE), vendors ids, vulnerability database identifiers) – Captures relationships within the same identification system (e.g. supersession, deprecation) – Identifies aliases between different identification systems Uses the Common Platform Enumeration (CPE) to relate vulnerable product configurations – Application – Operating system – Application running on operating system Plugs-in Common Vulnerability Scoring System (CVSS) v2 scoring information – Allows other scoring systems to be used Relates a vulnerability to references: – Vulnerability advisories, alerts and bulletins describing the vulnerability in greater detail – Patch and work-around information – Assessment methods

How does it relate to the IETF? Security Automation and Continuous Monitoring (SACM) Use Case 1: System State Assessment (draft-waltermire- sacm-use-cases-02) Vulnerability Management Use Case ( ) – Enumerates technical assessment methods Assessment Result Analysis (4.1.3) – Provides vulnerability scores enabling comparison/weighting of assessment results – Supports Risk-based decision making Content management (4.1.4) – Captures scoring models and vulnerability information – References additional vulnerability and patch information

How does it relate to the IETF? (Cont’d) Security Automation and Continuous Monitoring (SACM) Use Case 3: Security Control Verification and Monitoring (draft-waltermire-sacm-use-cases-02) Tasking and Scheduling (4.3.1) – Selection of assessment criteria – Defining in-scope assets (i.e. targeting) Data Aggregation and Reporting (4.3.2) – Enables correlation by vulnerability identifiers and other vulnerability attributes (e.g.. scores, product)

How does it relate to the IETF? (Cont’d) Managed Incident Lightweight Exchange (MILE WG) IODEF-extension to support structured cybersecurity information (draft-ietf-mile-sci-05) Section 4.3.3: Vulnerability – Enables inclusion of information for (candidate) vulnerabilities related to incidents or events – Possible candidate for inclusion in the IANA registry (Appendix II)

Possible work / How you can help? Greater consensus on use cases for vulnerability format – Collaboration/integration with other related efforts (e.g. Common Vulnerability Reporting Format (CVRF)) – Update model to reflect growing consensus Develop an IANA registry for pluggable components – Allow for additional product identification schemes (e.g. ISO/IEC Software ID Tags) – Support multiple scoring metrics/methods (e.g. CVSSv3) – Extensible reference types Should it be extended to hold patch information? – Product/version applicability – Patch location information – How to install (i.e. exact command-line or execution instructions) JSON vs. XML

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.