Internet Engineering Task Force (IETF) D. Waltermire Request for Comments: 7632 NIST Category: Informational D. Harrington ISSN: 2070-1721 Effective Software September 2015
Internet Engineering Task Force (IETF) D. Waltermire Request for Comments: 7632 NIST Category: Informational D. Harrington ISSN: 2070-1721 Effective Software September 2015
Endpoint Security Posture Assessment: Enterprise Use Cases
端点安全态势评估:企业用例
Abstract
摘要
This memo documents a sampling of use cases for securely aggregating configuration and operational data and evaluating that data to determine an organization's security posture. From these operational use cases, we can derive common functional capabilities and requirements to guide development of vendor-neutral, interoperable standards for aggregating and evaluating data relevant to security posture.
本备忘录记录了安全聚合配置和操作数据并评估这些数据以确定组织安全态势的用例样本。从这些操作用例中,我们可以导出通用的功能能力和需求,以指导开发与供应商无关、可互操作的标准,用于聚合和评估与安全态势相关的数据。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7632.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7632.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Endpoint Posture Assessment . . . . . . . . . . . . . . . . . 4 2.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1. Define, Publish, Query, and Retrieve Security Automation Data . . . . . . . . . . . . . . . . . . . 6 2.1.2. Endpoint Identification and Assessment Planning . . . 9 2.1.3. Endpoint Posture Attribute Value Collection . . . . . 11 2.1.4. Posture Attribute Evaluation . . . . . . . . . . . . 11 2.2. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . 13 2.2.1. Definition and Publication of Automatable Configuration Checklists . . . . . . . . . . . . . . 13 2.2.2. Automated Checklist Verification . . . . . . . . . . 14 2.2.3. Detection of Posture Deviations . . . . . . . . . . . 17 2.2.4. Endpoint Information Analysis and Reporting . . . . . 18 2.2.5. Asynchronous Compliance/Vulnerability Assessment at Ice Station Zebra . . . . . . . . . . . . . . . . . . 18 2.2.6. Identification and Retrieval of Guidance . . . . . . 20 2.2.7. Guidance Change Detection . . . . . . . . . . . . . . 21 3. Security Considerations . . . . . . . . . . . . . . . . . . . 22 4. Informative References . . . . . . . . . . . . . . . . . . . 22 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Endpoint Posture Assessment . . . . . . . . . . . . . . . . . 4 2.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1. Define, Publish, Query, and Retrieve Security Automation Data . . . . . . . . . . . . . . . . . . . 6 2.1.2. Endpoint Identification and Assessment Planning . . . 9 2.1.3. Endpoint Posture Attribute Value Collection . . . . . 11 2.1.4. Posture Attribute Evaluation . . . . . . . . . . . . 11 2.2. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . 13 2.2.1. Definition and Publication of Automatable Configuration Checklists . . . . . . . . . . . . . . 13 2.2.2. Automated Checklist Verification . . . . . . . . . . 14 2.2.3. Detection of Posture Deviations . . . . . . . . . . . 17 2.2.4. Endpoint Information Analysis and Reporting . . . . . 18 2.2.5. Asynchronous Compliance/Vulnerability Assessment at Ice Station Zebra . . . . . . . . . . . . . . . . . . 18 2.2.6. Identification and Retrieval of Guidance . . . . . . 20 2.2.7. Guidance Change Detection . . . . . . . . . . . . . . 21 3. Security Considerations . . . . . . . . . . . . . . . . . . . 22 4. Informative References . . . . . . . . . . . . . . . . . . . 22 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
This document describes the core set of use cases for endpoint posture assessment for enterprises. It provides a discussion of these use cases and associated building-block capabilities. The described use cases support:
本文档描述了企业端点姿势评估的核心用例集。它提供了对这些用例和相关构建块功能的讨论。所描述的用例支持:
o securely collecting and aggregating configuration and operational data, and
o 安全地收集和聚合配置和操作数据,以及
o evaluating that data to determine the security posture of individual endpoints.
o 评估该数据以确定各个端点的安全态势。
Additionally, this document describes a set of usage scenarios that provide examples for using the use cases and associated building blocks to address a variety of operational functions.
此外,本文档描述了一组使用场景,这些场景提供了使用用例和相关构建块来解决各种操作功能的示例。
These operational use cases and related usage scenarios cross many IT security domains. The use cases enable the derivation of common:
这些操作用例和相关使用场景跨越许多IT安全域。用例可以派生常见的:
o concepts that are expressed as building blocks in this document,
o 本文件中表示为构建块的概念,
o characteristics to inform development of a requirements document,
o 为需求文件的开发提供信息的特征,
o information concepts to inform development of an information model document, and
o 为信息模型文档的开发提供信息的信息概念,以及
o functional capabilities to inform development of an architecture document.
o 为架构(architecture)文档的开发提供信息的功能。
Together, these ideas will be used to guide development of vendor-neutral, interoperable standards for collecting, aggregating, and evaluating data relevant to security posture.
这些想法将一起用于指导制定供应商中立、互操作的标准,以收集、汇总和评估与安全态势相关的数据。
Using this standard data, tools can analyze the state of endpoints as well as user activities and behaviour, and evaluate the security posture of an organization. Common expression of information should enable interoperability between tools (whether customized, commercial, or freely available), and the ability to automate portions of security processes to gain efficiency, react to new threats in a timely manner, and free up security personnel to work on more advanced problems.
使用这些标准数据,工具可以分析端点的状态以及用户活动和行为,并评估组织的安全态势。信息的通用表达应该能够实现工具之间的互操作性(无论是定制的、商业的还是免费提供的),并能够自动化部分安全流程以提高效率,及时应对新威胁,并让安全人员能够处理更高级的问题。
The goal is to enable organizations to make informed decisions that support organizational objectives, to enforce policies for hardening systems, to prevent network misuse, to quantify business risk, and to collaborate with partners to identify and mitigate threats.
目标是使组织能够做出支持组织目标的明智决策,强制执行强化系统的策略,防止网络误用,量化业务风险,并与合作伙伴协作识别和缓解威胁。
It is expected that use cases for enterprises and for service providers will largely overlap. When considering this overlap, there are additional complications for service providers, especially in handling information that crosses administrative domains.
预计企业和服务提供商的用例将在很大程度上重叠。在考虑这种重叠时,服务提供商会有额外的复杂性,特别是在处理跨管理域的信息时。
The output of endpoint posture assessment is expected to feed into additional processes, such as policy-based enforcement of acceptable state, verification and monitoring of security controls, and compliance to regulatory requirements.
端点态势评估的输出预计将纳入其他流程,如基于策略的可接受状态实施、安全控制的验证和监控以及法规要求的遵守。
Endpoint posture assessment involves orchestrating and performing data collection and evaluating the posture of a given endpoint. Typically, endpoint posture information is gathered and then published to appropriate data repositories to make collected information available for further analysis supporting organizational security processes.
端点姿势评估包括协调和执行数据收集,以及评估给定端点的姿势。通常,收集端点姿态信息,然后将其发布到适当的数据存储库,以使收集到的信息可用于支持组织安全流程的进一步分析。
Endpoint posture assessment typically includes:
终点姿势评估通常包括:
o collecting the attributes of a given endpoint;
o 收集给定端点的属性;
o making the attributes available for evaluation and action; and
o 使属性可用于评估和行动;和
o verifying that the endpoint's posture is in compliance with enterprise standards and policy.
o 验证端点的姿态是否符合企业标准和策略。
As part of these activities, it is often necessary to identify and acquire any supporting security automation data that is needed to drive and feed data collection and evaluation processes.
作为这些活动的一部分,通常需要确定和获取驱动和反馈数据收集和评估过程所需的任何支持性安全自动化数据。
The following is a typical workflow scenario for assessing endpoint posture:
以下是评估端点姿势的典型工作流场景:
1. Some type of trigger initiates the workflow. For example, an operator or an application might trigger the process with a request, or the endpoint might trigger the process using an event-driven notification.
1. 某些类型的触发器会启动工作流。例如,操作员或应用程序可能通过请求触发流程,或者端点可能通过事件驱动通知触发流程。
2. An operator/application selects one or more target endpoints to be assessed.
2. 操作员/应用程序选择一个或多个要评估的目标端点。
3. An operator/application selects which policies are applicable to the targets.
3. 操作员/应用程序选择适用于目标的策略。
4. For each target:
4. 对于每个目标:
A. The application determines which (sets of) posture attributes need to be collected for evaluation. Implementations should be able to support (possibly mixed) sets of standardized and proprietary attributes.
A.应用程序确定需要收集哪些(组)姿势属性进行评估。实现应该能够支持(可能是混合的)标准化和专有属性集。
B. The application might retrieve previously collected information from a cache or data store, such as a data store populated by an asset management system.
B.应用程序可以从缓存或数据存储中检索以前收集的信息,例如由资产管理系统填充的数据存储。
C. The application might establish communication with the target, mutually authenticate identities and authorizations, and collect posture attributes from the target.
C.应用程序可能与目标建立通信,相互验证身份和授权,并从目标收集姿态属性。
D. The application might establish communication with one or more intermediaries or agents, which may be local or external. When establishing connections with an intermediary or agent, the application can mutually authenticate their identities and determine authorizations, and collect posture attributes about the target from the intermediaries or agents.
D.应用程序可能与一个或多个中介或代理建立通信,这些中介或代理可能是本地的或外部的。当与中介或代理建立连接时,应用程序可以相互验证其身份并确定授权,并从中介或代理收集有关目标的姿态属性。
E. The application communicates target identity and (sets of) collected attributes to an evaluator, which is possibly an external process or external system.
E.应用程序将目标标识和(组)收集的属性传递给评估者,评估者可能是外部流程或外部系统。
F. The evaluator compares the collected posture attributes with expected values as expressed in policies.
F.评估员将收集的姿势属性与策略中表示的预期值进行比较。
G. The evaluator reports the evaluation result for the requested assessment, in a standardized or proprietary format, such as a report, a log entry, a database entry, or a notification.
G.评估员以标准化或专有格式(如报告、日志条目、数据库条目或通知)报告所请求评估的评估结果。
The following subsections detail specific use cases for assessment planning, data collection, analysis, and related operations pertaining to the publication and use of supporting data. Each use case is defined by a short summary containing a simple problem statement, followed by a discussion of related concepts, and a listing of associated building blocks that represent the capabilities needed to support the use case. These use cases and building blocks identify separate units of functionality that may be supported by different components of an architectural model.
以下小节详细介绍了评估规划、数据收集、分析以及与支持数据的发布和使用有关的相关操作的具体用例。每个用例都由一个简短的摘要来定义,其中包含一个简单的问题陈述,然后是相关概念的讨论,以及表示支持用例所需功能的相关构建块的列表。这些用例和构建块确定了架构模型的不同组件可能支持的独立功能单元。
This use case describes the need for security automation data to be defined and published to one or more data stores, as well as queried and retrieved from these data stores for the explicit use of posture collection and evaluation.
此用例描述了定义安全自动化数据并将其发布到一个或多个数据存储中,以及从这些数据存储中查询和检索以明确使用姿势收集和评估的需求。
Security automation data is a general concept that refers to any data expression that may be generated and/or used as part of the process of collecting and evaluating endpoint posture. Different types of security automation data will generally fall into one of three categories:
安全自动化数据是一个通用概念,指在收集和评估端点姿态的过程中可能生成和/或使用的任何数据表达式。不同类型的安全自动化数据通常分为三类:
Guidance: Instructions and related metadata that guide the attribute collection and evaluation processes. The purpose of this data is to allow implementations to be data-driven, thus enabling their behavior to be customized without requiring changes to deployed software.
指南:指导属性收集和评估过程的说明和相关元数据。这些数据的目的是允许实现是数据驱动的,从而使它们的行为能够定制,而无需更改已部署的软件。
This type of data tends to change in units of months and days. In cases where assessments are made more dynamic, it may be necessary to handle changes in the scope of hours or minutes. This data will typically be provided by large organizations, product vendors, and some third parties. Thus, it will tend to be shared across large enterprises and customer communities. In some cases, access may be controlled to specific authenticated users. In other cases, the data may be provided broadly with little to no access control.
这类数据往往以月和日为单位变化。在评估更加动态的情况下,可能需要处理小时或分钟范围内的变化。这些数据通常由大型组织、产品供应商和一些第三方提供。因此,它将倾向于在大型企业和客户社区之间共享。在某些情况下,可以对特定的经过身份验证的用户进行访问控制。在其他情况下,数据可以广泛地提供,几乎没有访问控制。
This includes:
这包括:
* Listings of attribute identifiers for which values may be collected and evaluated.
* 可收集和评估其值的属性标识符列表。
* Lists of attributes that are to be collected along with metadata that includes: when to collect a set of attributes based on a defined interval or event, the duration of collection, and how to go about collecting a set of attributes.
* 将与元数据一起收集的属性列表,包括:何时根据定义的间隔或事件收集一组属性、收集的持续时间以及如何收集一组属性。
* Guidance that specifies how old collected data can be when used for evaluation.
* 指定用于评估时所收集数据的年代的指南。
* Policies that define how to target and perform the evaluation of a set of attributes for different kinds or groups of endpoints and the assets they are composed of. In some cases, it may be desirable to maintain hierarchies of policies as well.
* 定义如何针对不同类型或组的端点及其组成的资产确定一组属性的目标并对其执行评估的策略。在某些情况下,可能还需要维护策略的层次结构。
* References to human-oriented data that provide technical, organizational, and/or policy context. This might include references to: best practices documents, legal guidance and legislation, and instructional materials related to the automation data in question.
* 对提供技术、组织和/或政策背景的面向人的数据的引用。这可能包括参考:最佳实践文件、法律指导和立法,以及与相关自动化数据相关的教学材料。
Attribute Data: Data collected through automated and manual mechanisms describing organizational and posture details pertaining to specific endpoints and the assets that they are composed of (e.g., hardware, software, accounts). The purpose of this type of data is to characterize an endpoint (e.g., endpoint type, organizationally expected function/role) and to provide actual and expected state data pertaining to one or more endpoints. This data is used to determine what posture attributes to collect from which endpoints and to feed one or more evaluations.
属性数据:通过自动和手动机制收集的数据,描述与特定端点及其组成的资产(如硬件、软件、帐户)相关的组织和姿态细节。此类数据的目的是描述端点(例如,端点类型、组织上预期的功能/角色),并提供与一个或多个端点相关的实际和预期状态数据。该数据用于确定从哪些端点收集哪些姿势属性,并为一个或多个评估提供信息。
This type of data tends to change in units of days, minutes, and seconds, with posture attribute values typically changing more frequently than endpoint characterizations. This data tends to be organizationally and endpoint specific, with specific operational groups of endpoints tending to exhibit similar attribute profiles. Generally, this data will not be shared outside an organizational boundary and will require authentication with specific access controls.
这类数据往往以天、分钟和秒为单位进行更改,姿势属性值的更改频率通常高于端点特征。这些数据往往在组织上和端点特定,端点的特定操作组倾向于显示类似的属性配置文件。通常,这些数据不会在组织边界之外共享,需要使用特定的访问控制进行身份验证。
This includes:
这包括:
* Endpoint characterization data that describes the endpoint type, organizationally expected function/role, etc.
* 描述端点类型、组织期望的功能/角色等的端点特征数据。
* Collected endpoint posture attribute values and related context including: time of collection, tools used for collection, etc.
* 收集的端点姿态属性值和相关上下文,包括:收集时间、用于收集的工具等。
* Organizationally defined expected posture attribute values targeted to specific evaluation guidance and endpoint characteristics. This allows a common set of guidance to be parameterized for use with different groups of endpoints.
* 针对特定评估指南和终点特征的组织定义的预期姿势属性值。这允许对一组通用指南进行参数化,以用于不同的端点组。
Processing Artifacts: Data that is generated by, and is specific to, an individual assessment process. This data may be used as part of the interactions between architectural components to drive and coordinate collection and evaluation activities. Its lifespan will be bounded by the lifespan of the assessment. It may also be exchanged and stored to provide historic context
处理工件:由单个评估过程生成并特定于该过程的数据。这些数据可以用作架构组件之间交互的一部分,以推动和协调收集和评估活动。其寿命将受评估寿命的限制。它也可以被交换和存储以提供历史背景
around an assessment activity so that individual assessments can be grouped, evaluated, and reported in an enterprise context.
围绕评估活动,以便在企业环境中对单个评估进行分组、评估和报告。
This includes:
这包括:
* The identified set of endpoints for which an assessment should be performed.
* 应为其执行评估的已识别端点集。
* The identified set of posture attributes that need to be collected from specific endpoints to perform an evaluation.
* 需要从特定端点收集以执行评估的已识别姿势属性集。
* The resulting data generated by an evaluation process including the context of what was assessed, what it was assessed against, what collected data was used, when it was collected, and when the evaluation was performed.
* 评估过程产生的结果数据,包括评估内容、评估依据、使用收集的数据、收集数据的时间以及执行评估的时间。
The information model for security automation data must support a variety of different data types as described above, along with the associated metadata that is needed to support publication, query, and retrieval operations. It is expected that multiple data models will be used to express specific data types requiring specialized or extensible security automation data repositories. The different temporal characteristics, access patterns, and access control dimensions of each data type may also require different protocols and data models to be supported furthering the potential requirement for specialized data repositories. See [RFC3444] for a description and discussion of distinctions between an information and data model. It is likely that additional kinds of data will be identified through the process of defining requirements and an architectural model. Implementations supporting this building block will need to be extensible to accommodate the addition of new types of data, whether proprietary or (preferably) using a standard format.
安全自动化数据的信息模型必须支持上述各种不同的数据类型,以及支持发布、查询和检索操作所需的相关元数据。预计将使用多个数据模型来表示需要专门或可扩展的安全自动化数据存储库的特定数据类型。每种数据类型的不同时间特征、访问模式和访问控制维度也可能需要支持不同的协议和数据模型,以进一步满足对专门数据存储库的潜在需求。有关信息模型和数据模型之间区别的说明和讨论,请参见[RFC3444]。很可能通过定义需求和体系结构模型的过程来识别其他类型的数据。支持此构建块的实现需要可扩展,以适应添加新类型的数据,无论是专有数据还是(最好)使用标准格式的数据。
The building blocks of this use case are:
本用例的构建块包括:
Data Definition: Security automation data will guide and inform collection and evaluation processes. This data may be designed by a variety of roles -- application implementers may build security automation data into their applications; administrators may define guidance based on organizational policies; operators may define guidance and attribute data as needed for evaluation at runtime; and so on. Data producers may choose to reuse data from existing stores of security automation data and/or may create new data. Data producers may develop data based on available standardized or proprietary data models, such as those used for network management and/or host management.
数据定义:安全自动化数据将指导和通知收集和评估过程。这些数据可以由多种角色设计——应用程序实现者可以将安全自动化数据构建到他们的应用程序中;管理员可以根据组织策略定义指导;操作员可以根据需要定义指导和属性数据,以便在运行时进行评估;等等数据生产者可以选择重用现有安全自动化数据存储中的数据和/或创建新数据。数据生产者可以基于可用的标准化或专有数据模型开发数据,例如用于网络管理和/或主机管理的数据模型。
Data Publication: The capability to enable data producers to publish data to a security automation data store for further use. Published data may be made publicly available or access may be based on an authorization decision using authenticated credentials. As a result, the visibility of specific security automation data to an operator or application may be public, enterprise-scoped, private, or controlled within any other scope.
数据发布:使数据生产者能够将数据发布到安全自动化数据存储以供进一步使用的功能。发布的数据可以公开,或者访问可以基于使用经过身份验证的凭据的授权决策。因此,特定安全自动化数据对操作员或应用程序的可见性可能是公共的、企业范围的、私有的,或在任何其他范围内控制的。
Data Query: An operator or application should be able to query a security automation data store using a set of specified criteria. The result of the query will be a listing matching the query. The query result listing may contain publication metadata (e.g., create date, modified date, publisher, etc.) and/or the full data, a summary, snippet, or the location to retrieve the data.
数据查询:操作员或应用程序应该能够使用一组指定的条件查询安全自动化数据存储。查询的结果将是与查询匹配的列表。查询结果列表可能包含发布元数据(例如,创建日期、修改日期、发布者等)和/或完整数据、摘要、片段或检索数据的位置。
Data Retrieval: A user, operator, or application acquires one or more specific security automation data entries. The location of the data may be known a priori, or may be determined based on decisions made using information from a previous query.
数据检索:用户、操作员或应用程序获取一个或多个特定的安全自动化数据条目。数据的位置可以是先验的,或者可以基于使用来自先前查询的信息做出的决策来确定。
Data Change Detection: An operator or application needs to know when security automation data they are interested in has been published to, updated in, or deleted from a security automation data store that they have been authorized to access.
数据更改检测:操作员或应用程序需要知道他们感兴趣的安全自动化数据何时已发布到他们授权访问的安全自动化数据存储中、在其中更新或从中删除。
These building blocks are used to enable acquisition of various instances of security automation data based on specific data models that are used to drive assessment planning (see Section 2.1.2), posture attribute value collection (see Section 2.1.3), and posture evaluation (see Section 2.1.4).
这些构建块用于基于用于驱动评估计划(见第2.1.2节)、姿势属性值收集(见第2.1.3节)和姿势评估(见第2.1.4节)的特定数据模型,获取各种安全自动化数据实例。
This use case describes the process of discovering endpoints, understanding their composition, identifying the desired state to assess against, and calculating what posture attributes to collect to enable evaluation. This process may be a set of manual, automated, or hybrid steps that are performed for each assessment.
本用例描述了发现端点、了解其组成、确定要评估的所需状态以及计算要收集哪些姿势属性以启用评估的过程。该过程可以是为每次评估执行的一组手动、自动或混合步骤。
The building blocks of this use case are:
本用例的构建块包括:
Endpoint Discovery: To determine the current or historic presence of endpoints in the environment that are available for posture assessment. Endpoints are identified in support of discovery by using information previously obtained or using other collection mechanisms to gather identification and characterization data. Previously obtained data may originate from sources such as network authentication exchanges.
端点发现:确定环境中可用于姿势评估的端点的当前或历史存在。通过使用先前获得的信息或使用其他收集机制来收集识别和表征数据,识别端点以支持发现。先前获得的数据可能来自网络认证交换等来源。
Endpoint Characterization: The act of acquiring, through automated collection or manual input, and organizing attributes associated with an endpoint (e.g., type, organizationally expected function/role, hardware/software versions).
端点表征:通过自动收集或手动输入获取并组织与端点相关的属性(例如,类型、组织预期功能/角色、硬件/软件版本)的行为。
Endpoint Target Identification: Determine the candidate endpoint target(s) against which to perform the assessment. Depending on the assessment trigger, a single endpoint or multiple endpoints may be targeted based on characterized endpoint attributes. Guidance describing the assessment to be performed may contain instructions or references used to determine the applicable assessment targets. In this case, the Data Query and/or Data Retrieval building blocks (see Section 2.1.1) may be used to acquire this data.
端点目标识别:确定要针对其执行评估的候选端点目标。根据评估触发,可以基于特征化端点属性以单个端点或多个端点为目标。描述待执行评估的指南可能包含用于确定适用评估目标的说明或参考。在这种情况下,可使用数据查询和/或数据检索构建块(见第2.1.1节)获取该数据。
Endpoint Component Inventory: To determine what applicable desired states should be assessed, it is first necessary to acquire the inventory of software, hardware, and accounts associated with the targeted endpoint(s). If the assessment of the endpoint is not dependent on the these details, then this capability is not required for use in performing the assessment. This process can be treated as a collection use case for specific posture attributes. In this case, the building blocks for Endpoint Posture Attribute Value Collection (see Section 2.1.3) can be used.
端点组件清单:为了确定应该评估哪些适用的期望状态,首先需要获取与目标端点相关的软件、硬件和帐户的清单。如果端点的评估不依赖于这些细节,则在执行评估时不需要使用此功能。此过程可以视为特定姿势属性的集合用例。在这种情况下,可以使用端点姿态属性值集合的构建块(参见第2.1.3节)。
Posture Attribute Identification: Once the endpoint targets and their associated asset inventory is known, it is then necessary to calculate what posture attributes are required to be collected to perform the desired evaluation. When available, existing posture data is queried for suitability using the Data Query building block (see Section 2.1.1). Such posture data is suitable if it is complete and current enough for use in the evaluation. Any unsuitable posture data is identified for collection.
姿态属性识别:一旦端点目标及其相关资产库存已知,则有必要计算需要收集哪些姿态属性以执行所需评估。可用时,使用数据查询构建块(见第2.1.1节)查询现有姿势数据的适用性。如果此类姿势数据完整且当前足以用于评估,则此类姿势数据是合适的。识别任何不合适的姿势数据进行收集。
If this is driven by guidance, then the Data Query and/or Data Retrieval building blocks (see Section 2.1.1) may be used to acquire this data.
如果这是由指导驱动的,则可使用数据查询和/或数据检索构建块(见第2.1.1节)获取该数据。
At this point, the set of posture attribute values to use for evaluation are known, and they can be collected if necessary (see Section 2.1.3).
此时,用于评估的姿势属性值集是已知的,如有必要,可以收集这些值(见第2.1.3节)。
This use case describes the process of collecting a set of posture attribute values related to one or more endpoints. This use case can be initiated by a variety of triggers including:
此用例描述了收集一组与一个或多个端点相关的姿态属性值的过程。此用例可以由多种触发器启动,包括:
1. a posture change or significant event on the endpoint.
1. 端点上的姿势变化或重大事件。
2. a network event (e.g., endpoint connects to a network/VPN, specific netflow [RFC3954] is detected).
2. 网络事件(例如,端点连接到网络/VPN,检测到特定网络流[RFC3954])。
3. a scheduled or ad hoc collection task.
3. 计划的或特别的收集任务。
The building blocks of this use case are:
本用例的构建块包括:
Collection Guidance Acquisition: If guidance is required to drive the collection of posture attributes values, this capability is used to acquire this data from one or more security automation data stores. Depending on the trigger, the specific guidance to acquire might be known. If not, it may be necessary to determine the guidance to use based on the component inventory or other assessment criteria. The Data Query and/or Data Retrieval building blocks (see Section 2.1.1) may be used to acquire this guidance.
采集制导采集:如果需要制导来驱动姿态属性值的采集,则此功能用于从一个或多个安全自动化数据存储中采集此数据。根据触发条件,可能知道获取的具体指南。如果没有,则可能需要根据部件清单或其他评估标准确定使用指南。数据查询和/或数据检索构建块(见第2.1.1节)可用于获取本指南。
Posture Attribute Value Collection: The accumulation of posture attribute values. This may be based on collection guidance that is associated with the posture attributes.
姿势属性值集合:姿势属性值的累积。这可能基于与姿势属性相关联的收集指南。
Once the posture attribute values are collected, they may be persisted for later use or they may be immediately used for posture evaluation.
收集姿势属性值后,可以保留这些值以供以后使用,也可以立即用于姿势评估。
This use case represents the action of analyzing collected posture attribute values as part of an assessment. The primary focus of this use case is to support evaluation of actual endpoint state against the expected state selected for the assessment.
此用例表示作为评估的一部分分析收集的姿势属性值的操作。本用例的主要焦点是支持根据为评估选择的预期状态评估实际端点状态。
This use case can be initiated by a variety of triggers including:
此用例可以由多种触发器启动,包括:
1. a posture change or significant event on the endpoint.
1. 端点上的姿势变化或重大事件。
2. a network event (e.g., endpoint connects to a network/VPN, specific netflow [RFC3954] is detected).
2. 网络事件(例如,端点连接到网络/VPN,检测到特定网络流[RFC3954])。
3. a scheduled or ad hoc evaluation task.
3. 计划的或临时的评估任务。
The building blocks of this use case are:
本用例的构建块包括:
Collected Posture Change Detection: An operator or application has a mechanism to detect the availability of new posture attribute values or changes to existing ones. The timeliness of detection may vary from immediate to on-demand. Having the ability to filter what changes are detected will allow the operator to focus on the changes that are relevant to their use and will enable evaluation to occur dynamically based on detected changes.
收集的姿势变化检测:操作员或应用程序具有检测新姿势属性值或现有姿势属性值变化可用性的机制。检测的及时性可能从即时到按需不等。具备过滤检测到的更改的能力将使操作员能够关注与其使用相关的更改,并能够根据检测到的更改动态进行评估。
Posture Attribute Value Query: If previously collected posture attribute values are needed, the appropriate data stores are queried to retrieve them using the Data Query building block (see Section 2.1.1). If all posture attribute values are provided directly for evaluation, then this capability may not be needed.
姿势属性值查询:如果需要先前收集的姿势属性值,则使用数据查询构建块查询相应的数据存储以检索它们(参见第2.1.1节)。如果直接提供所有姿势属性值进行评估,则可能不需要此功能。
Evaluation Guidance Acquisition: If guidance is required to drive the evaluation of posture attributes values, this capability is used to acquire this data from one or more security automation data stores. Depending on the trigger, the specific guidance to acquire might be known. If not, it may be necessary to determine the guidance to use based on the component inventory or other assessment criteria. The Data Query and/or Data Retrieval building blocks (see Section 2.1.1) may be used to acquire this guidance.
评估指南获取:如果需要指南来驱动姿态属性值的评估,则此功能用于从一个或多个安全自动化数据存储中获取此数据。根据触发条件,可能知道获取的具体指南。如果没有,则可能需要根据部件清单或其他评估标准确定使用指南。数据查询和/或数据检索构建块(见第2.1.1节)可用于获取本指南。
Posture Attribute Evaluation: The comparison of posture attribute values against their expected values as expressed in the specified guidance. The result of this comparison is output as a set of posture evaluation results. Such results include metadata required to provide a level of assurance with respect to the posture attribute data and, therefore, evaluation results. Examples of such metadata include provenance and or availability data.
姿势属性评估:将姿势属性值与其在指定指南中表示的预期值进行比较。此比较的结果作为一组姿势评估结果输出。这些结果包括对姿势属性数据以及评估结果提供一定程度保证所需的元数据。此类元数据的示例包括来源和/或可用性数据。
While the primary focus of this use case is around enabling the comparison of expected vs. actual state, the same building blocks can support other analysis techniques that are applied to collected posture attribute data (e.g., trending, historic analysis).
虽然本用例的主要重点是实现预期状态与实际状态的比较,但相同的构建块可以支持应用于收集的姿势属性数据的其他分析技术(例如,趋势分析、历史分析)。
Completion of this process represents a complete assessment cycle as defined in Section 2.
该过程的完成代表了第2节中定义的完整评估周期。
In this section, we describe a number of usage scenarios that utilize aspects of endpoint posture assessment. These are examples of common problems that can be solved with the building blocks defined above.
在本节中,我们将描述一些利用端点姿势评估方面的使用场景。这些是可以用上面定义的构建块解决的常见问题的示例。
2.2.1. Definition and Publication of Automatable Configuration Checklists
2.2.1. 可自动配置检查表的定义和发布
A vendor manufactures a number of specialized endpoint devices. They also develop and maintain an operating system for these devices that enables end-user organizations to configure a number of security and operational settings. As part of their customer support activities, they publish a number of secure configuration guides that provide minimum security guidelines for configuring their devices.
一家供应商生产许多专用终端设备。他们还为这些设备开发和维护操作系统,使最终用户组织能够配置许多安全和操作设置。作为客户支持活动的一部分,他们发布了许多安全配置指南,为配置设备提供最低安全性指导。
Each guide they produce applies to a specific model of device and version of the operating system and provides a number of specialized configurations depending on the device's intended function and what add-on hardware modules and software licenses are installed on the device. To enable their customers to evaluate the security posture of their devices to ensure that all appropriate minimal security settings are enabled, they publish automatable configuration checklists using a popular data format that defines what settings to collect using a network management protocol and appropriate values for each setting. They publish these checklists to a public security automation data store that customers can query to retrieve applicable checklist(s) for their deployed specialized endpoint devices.
他们制作的每个指南都适用于特定型号的设备和操作系统版本,并根据设备的预期功能以及设备上安装的附加硬件模块和软件许可证提供了大量专门配置。为了使客户能够评估其设备的安全状态,以确保启用所有适当的最低安全设置,他们使用流行的数据格式发布可自动配置检查表,该格式定义了使用网络管理协议收集的设置以及每个设置的适当值。他们将这些检查表发布到公共安全自动化数据存储中,客户可以查询该数据存储以检索其部署的专用端点设备的适用检查表。
Automatable configuration checklists could also come from sources other than a device vendor, such as industry groups or regulatory authorities, or enterprises could develop their own checklists.
自动配置检查表也可以来自设备供应商以外的来源,如行业团体或监管机构,或者企业可以开发自己的检查表。
This usage scenario employs the following building blocks defined in Section 2.1.1 above:
此使用场景采用了上文第2.1.1节中定义的以下构建块:
Data Definition: To allow guidance to be defined using standardized or proprietary data models that will drive collection and evaluation.
数据定义:允许使用标准化或专有数据模型定义指导,以推动收集和评估。
Data Publication: Providing a mechanism to publish created guidance to a security automation data store.
数据发布:提供将创建的指南发布到安全自动化数据存储的机制。
Data Query: To locate and select existing guidance that may be reused.
数据查询:查找并选择可重复使用的现有指南。
Data Retrieval To retrieve specific guidance from a security automation data store for editing.
数据检索从安全自动化数据存储中检索特定指南以进行编辑。
While each building block can be used in a manual fashion by a human operator, it is also likely that these capabilities will be implemented together in some form of a guidance editor or generator application.
虽然每个构建块都可以由人工操作员手动使用,但这些功能也可能以某种形式的制导编辑器或生成器应用程序一起实现。
A financial services company operates a heterogeneous IT environment. In support of their risk management program, they utilize vendor-provided automatable security configuration checklists for each operating system and application used within their IT environment. Multiple checklists are used from different vendors to ensure adequate coverage of all IT assets.
金融服务公司运营着一个异构的IT环境。为了支持他们的风险管理计划,他们利用供应商提供的自动化安全配置检查表来检查IT环境中使用的每个操作系统和应用程序。使用来自不同供应商的多个检查表,以确保充分覆盖所有IT资产。
To identify what checklists are needed, they use automation to gather an inventory of the software versions utilized by all IT assets in the enterprise. This data gathering will involve querying existing data stores of previously collected endpoint software inventory posture data and actively collecting data from reachable endpoints as needed, utilizing network and systems management protocols. Previously collected data may be provided by periodic data collection, network connection-driven data collection, or ongoing event-driven monitoring of endpoint posture changes.
为了确定需要哪些检查表,他们使用自动化来收集企业中所有IT资产使用的软件版本的清单。此数据收集将涉及查询先前收集的端点软件库存态势数据的现有数据存储,并根据需要利用网络和系统管理协议从可到达端点主动收集数据。以前收集的数据可以通过定期数据收集、网络连接驱动的数据收集或持续事件驱动的端点姿态变化监测来提供。
Appropriate checklists are queried, located, and downloaded from the relevant guidance data stores. The specific data stores queried and the specifics of each query may be driven by data including:
从相关指南数据存储中查询、定位和下载相应的检查表。查询的特定数据存储和每个查询的细节可能由以下数据驱动:
o collected hardware and software inventory data, and
o 收集的硬件和软件清单数据,以及
o associated asset characterization data that may indicate the organizationally defined functions of each endpoint.
o 相关资产特征数据,可指示每个端点的组织定义功能。
Checklists may be sourced from guidance data stores maintained by an application or OS vendor, an industry group, a regulatory authority, or directly by the enterprise.
检查表可以来源于应用程序或操作系统供应商、行业集团、监管机构或企业直接维护的指导数据存储。
The retrieved guidance is cached locally to reduce the need to retrieve the data multiple times.
检索到的指南在本地缓存,以减少多次检索数据的需要。
Driven by the setting data provided in the checklist, a combination of existing configuration data stores and data collection methods are used to gather the appropriate posture attributes from (or pertaining to) each endpoint. Specific posture attribute values are gathered based on the defined enterprise function and software inventory of each endpoint. The collection mechanisms used to collect software inventory posture will be used again for this purpose. Once the data is gathered, the actual state is evaluated against the expected state criteria defined in each applicable checklist.
由检查表中提供的设置数据驱动,使用现有配置数据存储和数据收集方法的组合,从每个端点(或与之相关)收集适当的姿势属性。根据定义的企业功能和每个端点的软件清单,收集特定姿态属性值。用于收集软件清单姿态的收集机制将再次用于此目的。收集数据后,根据每个适用检查表中定义的预期状态标准评估实际状态。
A checklist can be assessed as a whole, or a specific subset of the checklist can be assessed resulting in partial data collection and evaluation.
检查表可以作为一个整体进行评估,或者可以评估检查表的特定子集,从而进行部分数据收集和评估。
The results of checklist evaluation are provided to appropriate operators and applications to drive additional business logic. Specific applications for checklist evaluation results are out of scope for current SACM (Security Automation and Continuous Monitoring) efforts. Irrespective of specific applications, the availability, timeliness, and liveness of results are often of general concern. Network latency and available bandwidth often create operational constraints that require trade-offs between these concerns and need to be considered.
检查表评估的结果将提供给适当的操作员和应用程序,以推动其他业务逻辑。检查表评估结果的具体应用超出了当前SACM(安全自动化和持续监控)工作的范围。不管具体的应用程序如何,结果的可用性、及时性和活跃性通常是人们普遍关心的问题。网络延迟和可用带宽通常会造成操作限制,需要在这些问题之间进行权衡,需要加以考虑。
Uses of checklists and associated evaluation results may include, but are not limited to:
检查表和相关评估结果的使用可能包括但不限于:
o Detecting endpoint posture deviations as part of a change management program to identify:
o 检测端点姿态偏差,作为变更管理计划的一部分,以确定:
* missing required patches,
* 缺少所需的修补程序,
* unauthorized changes to hardware and software inventory, and
* 对硬件和软件清单进行未经授权的更改,以及
* unauthorized changes to configuration items.
* 对配置项进行未经授权的更改。
o Determining compliance with organizational policies governing endpoint posture.
o 确定是否符合管理端点姿态的组织策略。
o Informing configuration management, patch management, and vulnerability mitigation and remediation decisions.
o 通知配置管理、修补程序管理以及漏洞缓解和修复决策。
o Searching for current and historic indicators of compromise.
o 寻找妥协的当前和历史指标。
o Detecting current and historic infection by malware and determining the scope of infection within an enterprise.
o 检测恶意软件的当前和历史感染,并确定企业内的感染范围。
o Detecting performance, attack, and vulnerable conditions that warrant additional network diagnostics, monitoring, and analysis.
o 检测性能、攻击和易受攻击的情况,以保证额外的网络诊断、监视和分析。
o Informing network access control decision-making for wired, wireless, or VPN connections.
o 通知有线、无线或VPN连接的网络访问控制决策。
This usage scenario employs the following building blocks defined in Section 2.1.1 above:
此使用场景采用了上文第2.1.1节中定义的以下构建块:
Endpoint Discovery: The purpose of discovery is to determine the type of endpoint to be posture assessed.
端点发现:发现的目的是确定要评估的端点类型。
Endpoint Target Identification: To identify what potential endpoint targets the checklist should apply to based on organizational policies.
端点目标识别:根据组织策略识别检查表应适用于哪些潜在端点目标。
Endpoint Component Inventory: Collecting and consuming the software and hardware inventory for the target endpoints.
端点组件清单:收集和使用目标端点的软件和硬件清单。
Posture Attribute Identification: To determine what data needs to be collected to support evaluation, the checklist is evaluated against the component inventory and other endpoint metadata to determine the set of posture attribute values that are needed.
姿势属性识别:为了确定需要收集哪些数据来支持评估,将根据组件清单和其他端点元数据评估检查表,以确定所需的姿势属性值集。
Collection Guidance Acquisition: Based on the identified posture attributes, the application will query appropriate security automation data stores to find the "applicable" collection guidance for each endpoint in question.
采集指南获取:根据识别的姿态属性,应用程序将查询适当的安全自动化数据存储,以找到每个端点的“适用”采集指南。
Posture Attribute Value Collection: For each endpoint, the values for the required posture attributes are collected.
姿势属性值集合:对于每个端点,收集所需姿势属性的值。
Posture Attribute Value Query: If previously collected posture attribute values are used, they are queried from the appropriate data stores for the target endpoint(s).
姿势属性值查询:如果使用以前收集的姿势属性值,则会从目标端点的相应数据存储中查询这些值。
Evaluation Guidance Acquisition: Any guidance that is needed to support evaluation is queried and retrieved.
评估指南获取:查询和检索支持评估所需的任何指南。
Posture Attribute Evaluation: The resulting posture attribute values from previous collection processes are evaluated using the evaluation guidance to provide a set of posture results.
姿势属性评估:使用评估指南评估先前收集过程中产生的姿势属性值,以提供一组姿势结果。
Example Corporation has established secure configuration baselines for each different type of endpoint within their enterprise including: network infrastructure, mobile, client, and server computing platforms. These baselines define an approved list of hardware, software (i.e., operating system, applications, and patches), and associated required configurations. When an endpoint connects to the network, the appropriate baseline configuration is communicated to the endpoint based on its location in the network, the expected function of the device, and other asset management data. It is checked for compliance with the baseline, and any deviations are indicated to the device's operators. Once the baseline has been established, the endpoint is monitored for any change events pertaining to the baseline on an ongoing basis. When a change occurs to posture defined in the baseline, updated posture information is exchanged, allowing operators to be notified and/or automated action to be taken.
示例公司已为其企业内的每种不同类型的端点建立了安全配置基线,包括:网络基础设施、移动、客户端和服务器计算平台。这些基线定义了经批准的硬件、软件(即操作系统、应用程序和修补程序)以及相关必需配置的列表。当端点连接到网络时,根据端点在网络中的位置、设备的预期功能和其他资产管理数据,将适当的基线配置传送到端点。检查其是否符合基线,并向设备操作员指示任何偏差。一旦建立了基线,将持续监控端点与基线相关的任何变更事件。当基线中定义的姿势发生变化时,将交换更新的姿势信息,从而通知操作员和/或自动采取行动。
Like the Automated Checklist Verification usage scenario (see Section 2.2.2), this usage scenario supports assessment based on automatable checklists. It differs from that scenario by monitoring for specific endpoint posture changes on an ongoing basis. When the endpoint detects a posture change, an alert is generated identifying the specific changes in posture, thus allowing assessment of the delta to be performed instead of a full assessment as in the previous case. This usage scenario employs the same building blocks as Automated Checklist Verification (see section 2.2.2). It differs slightly in how it uses the following building blocks:
与自动检查表验证使用场景(参见第2.2.2节)一样,此使用场景支持基于自动检查表的评估。它与该场景的不同之处在于持续监控特定端点姿势的变化。当端点检测到姿势变化时,会生成一个警报,识别姿势的具体变化,从而允许对增量进行评估,而不是像前一种情况那样进行全面评估。此使用场景使用与自动检查表验证相同的构建块(参见第2.2.2节)。它在使用以下构建块的方式上略有不同:
Endpoint Component Inventory: Additionally, changes to the hardware and software inventory are monitored, with changes causing alerts to be issued.
端点组件资源清册:此外,监视硬件和软件资源清册的更改,更改会导致发出警报。
Posture Attribute Value Collection: After the initial assessment, posture attributes are monitored for changes. If any of the selected posture attribute values change, an alert is issued.
姿势属性值收集:初始评估后,将监视姿势属性的更改。如果选定的任何姿势属性值发生更改,将发出警报。
Posture Attribute Value Query: The previous state of posture attributes are tracked, allowing changes to be detected.
姿态属性值查询:跟踪姿态属性的先前状态,允许检测更改。
Posture Attribute Evaluation: After the initial assessment, a partial evaluation is performed based on changes to specific posture attributes.
姿势属性评估:初始评估后,根据特定姿势属性的更改执行部分评估。
This usage scenario highlights the need to query a data store to prepare a compliance report for a specific endpoint and also the need for a change in endpoint state to trigger Collection and Evaluation.
此使用场景强调需要查询数据存储以准备特定端点的符合性报告,还需要更改端点状态以触发收集和评估。
Freed from the drudgery of manual endpoint compliance monitoring, one of the security administrators at Example Corporation notices (not using SACM standards) that five endpoints have been uploading lots of data to a suspicious server on the Internet. The administrator queries data stores for specific endpoint posture to see what software is installed on those endpoints and finds that they all have a particular program installed. She then queries the appropriate data stores to see which other endpoints have that program installed. All these endpoints are monitored carefully (not using SACM standards), which allows the administrator to detect that the other endpoints are also infected.
Example Corporation的一名安全管理员(不使用SACM标准)注意到,五个端点已将大量数据上传到Internet上的可疑服务器,从而摆脱了手动端点合规性监控的繁琐工作。管理员查询特定端点姿态的数据存储,查看这些端点上安装了什么软件,并发现它们都安装了特定的程序。然后,她查询相应的数据存储,查看哪些其他端点安装了该程序。所有这些端点都被仔细监控(不使用SACM标准),这允许管理员检测到其他端点也被感染。
This is just one example of the useful analysis that a skilled analyst can do using data stores of endpoint posture.
这只是熟练的分析师可以使用端点姿态数据存储进行有用分析的一个示例。
This usage scenario employs the following building blocks defined in Section 2.1.1 above:
此使用场景采用了上文第2.1.1节中定义的以下构建块:
Posture Attribute Value Query: Previously collected posture attribute values for the target endpoint(s) are queried from the appropriate data stores using a standardized method.
姿势属性值查询:使用标准化方法从适当的数据存储中查询先前收集的目标端点的姿势属性值。
This usage scenario highlights the need to query a repository for attributes to see which attributes certain endpoints have in common.
此使用场景强调需要查询存储库中的属性,以查看某些端点具有哪些共同属性。
2.2.5. Asynchronous Compliance/Vulnerability Assessment at Ice Station Zebra
2.2.5. Zebra冰站的异步合规性/脆弱性评估
A university team receives a grant to do research at a government facility in the Arctic. The only network communications will be via an intermittent, low-speed, high-latency, high-cost satellite link. During their extended expedition, they will need to show continued compliance with the security policies of the university, the government, and the provider of the satellite network, as well as keep current on vulnerability testing. Interactive assessments are therefore not reliable, and since the researchers have very limited funding, they need to minimize how much money they spend on network data.
一个大学团队获得一笔赠款,在北极的一个政府机构进行研究。唯一的网络通信将是通过间歇性、低速、高延迟、高成本的卫星链路。在他们的长期考察中,他们将需要表明继续遵守大学、政府和卫星网络提供商的安全政策,并保持最新的漏洞测试。因此,交互式评估是不可靠的,因为研究人员的资金非常有限,他们需要尽量减少在网络数据上的花费。
Prior to departure, they register all equipment with an asset management system owned by the university, which will also initiate and track assessments.
出发前,他们在学校拥有的资产管理系统中登记所有设备,该系统还将启动和跟踪评估。
On a periodic basis -- either after a maximum time delta or when the security automation data store has received a threshold level of new vulnerability definitions -- the university uses the information in
定期——在最长时间增量之后,或者当安全自动化数据存储区收到新漏洞定义的阈值级别时——大学在
the asset management system to put together a collection request for all of the deployed assets that encompasses the minimal set of artifacts necessary to evaluate all three security policies as well as vulnerability testing.
资产管理系统用于为所有已部署资产收集请求,其中包含评估所有三个安全策略以及漏洞测试所需的最小工件集。
In the case of new critical vulnerabilities, this collection request consists only of the artifacts necessary for those vulnerabilities, and collection is only initiated for those assets that could potentially have a new vulnerability.
对于新的关键漏洞,此收集请求仅包含这些漏洞所需的工件,并且仅针对可能具有新漏洞的资产启动收集。
(Optional) Asset artifacts are cached in a local configuration management database (CMDB). When new vulnerabilities are reported to the security automation data store, a request to the live asset is only done if the artifacts in the CMDB are incomplete and/or not current enough.
(可选)资产构件缓存在本地配置管理数据库(CMDB)中。当向安全自动化数据存储报告新漏洞时,仅当CMDB中的构件不完整和/或不够新时,才会请求活动资产。
The collection request is queued for the next window of connectivity. The deployed assets eventually receive the request, fulfill it, and queue the results for the next return opportunity.
收集请求排队等待下一个连接窗口。部署的资产最终接收请求,完成请求,并将结果排队等待下一个返回机会。
The collected artifacts eventually make it back to the university where the level of compliance and vulnerability exposed is calculated and asset characteristics are compared to what is in the asset management system for accuracy and completeness.
收集的工件最终会返回到大学,在那里计算所暴露的合规性和脆弱性水平,并将资产特征与资产管理系统中的资产特征进行比较,以确保准确性和完整性。
Like the Automated Checklist Verification usage scenario (see section 2.2.2), this usage scenario supports assessment based on checklists. It differs from that scenario in how guidance, collected posture attribute values, and evaluation results are exchanged due to bandwidth limitations and availability. This usage scenario employs the same building blocks as Automated Checklist Verification (see section 2.2.2). It differs slightly in how it uses the following building blocks:
与自动检查表验证使用场景(参见第2.2.2节)一样,此使用场景支持基于检查表的评估。由于带宽限制和可用性,它与该场景的不同之处在于如何交换制导、收集的姿态属性值和评估结果。此使用场景使用与自动检查表验证相同的构建块(参见第2.2.2节)。它在使用以下构建块的方式上略有不同:
Endpoint Component Inventory: It is likely that the component inventory will not change. If it does, this information will need to be batched and transmitted during the next communication window.
端点组件清单:组件清单可能不会更改。如果确实如此,则需要在下一个通信窗口期间对该信息进行批处理和传输。
Collection Guidance Acquisition: Due to intermittent communication windows and bandwidth constraints, changes to collection guidance will need to batched and transmitted during the next communication window. Guidance will need to be cached locally to avoid the need for remote communications.
采集指南采集:由于间歇性通信窗口和带宽限制,采集指南的更改需要在下一个通信窗口中进行批处理和传输。指南需要在本地缓存,以避免需要远程通信。
Posture Attribute Value Collection: The specific posture attribute values to be collected are identified remotely and batched for collection during the next communication window. If a delay is introduced for collection to complete, results will need to be batched and transmitted.
姿态属性值采集:远程识别要采集的特定姿态属性值,并在下一个通信窗口中进行批量采集。如果为完成采集引入延迟,则需要对结果进行批处理和传输。
Posture Attribute Value Query: Previously collected posture attribute values will be stored in a remote data store for use at the university.
姿势属性值查询:以前收集的姿势属性值将存储在远程数据存储中,供大学使用。
Evaluation Guidance Acquisition: Due to intermittent communication windows and bandwidth constraints, changes to evaluation guidance will need to batched and transmitted during the next communication window. Guidance will need to be cached locally to avoid the need for remote communications.
评估指南获取:由于间歇性通信窗口和带宽限制,评估指南的更改将需要在下一个通信窗口期间进行批处理和传输。指南需要在本地缓存,以避免需要远程通信。
Posture Attribute Evaluation: Due to the caching of posture attribute values and evaluation guidance, evaluation may be performed at both the university campus as well as the satellite site.
姿势属性评估:由于姿势属性值和评估指导的缓存,评估可在大学校园和卫星站点进行。
This usage scenario highlights the need to support low-bandwidth, intermittent, or high-latency links.
此使用场景强调需要支持低带宽、间歇或高延迟链路。
In preparation for performing an assessment, an operator or application will need to identify one or more security automation data stores that contain the guidance entries necessary to perform data collection and evaluation tasks. The location of a given guidance entry will either be known a priori or known security automation data stores will need to be queried to retrieve applicable guidance.
在准备执行评估时,操作员或应用程序需要确定一个或多个安全自动化数据存储,其中包含执行数据收集和评估任务所需的指导条目。给定指南条目的位置将事先已知,或者需要查询已知的安全自动化数据存储以检索适用的指南。
To query guidance it will be necessary to define a set of search criteria. This criteria will often utilize a logical combination of publication metadata (e.g., publishing identity, create time, modification time) and criteria elements specific to the guidance data. Once the criteria are defined, one or more security automation data stores will need to be queried, thus generating a result set. Depending on how the results are used, it may be desirable to return the matching guidance directly, a snippet of the guidance matching the query, or a resolvable location to retrieve the data at a later time. The guidance matching the query will be restricted based on the authorized level of access allowed to the requester.
要查询指南,需要定义一组搜索条件。该标准通常利用出版元数据(例如出版标识、创建时间、修改时间)和特定于指导数据的标准元素的逻辑组合。定义条件后,将需要查询一个或多个安全自动化数据存储,从而生成结果集。根据结果的使用方式,可能需要直接返回匹配的指南、与查询匹配的指南片段或可解析的位置,以便稍后检索数据。与查询匹配的指南将根据允许请求者访问的授权级别进行限制。
If the location of guidance is identified in the query result set, the guidance will be retrieved when needed using one or more data retrieval requests. A variation on this approach would be to maintain a local cache of previously retrieved data. In this case, only guidance that is determined to be stale by some measure will be retrieved from the remote data store.
如果在查询结果集中确定了指南的位置,则将在需要时使用一个或多个数据检索请求检索指南。这种方法的一种变体是维护以前检索到的数据的本地缓存。在这种情况下,仅从远程数据存储检索通过某种措施确定为过时的指南。
Alternately, guidance can be discovered by iterating over data published with a given context within a security automation data store. Specific guidance can be selected and retrieved as needed.
或者,可以通过在安全自动化数据存储中迭代使用给定上下文发布的数据来发现指导。可根据需要选择和检索特定指南。
This usage scenario employs the following building blocks defined in Section 2.1.1 above:
此使用场景采用了上文第2.1.1节中定义的以下构建块:
Data Query: Enables an operator or application to query one or more security automation data stores for guidance using a set of specified criteria.
数据查询:允许操作员或应用程序使用一组指定的条件查询一个或多个安全自动化数据存储以获取指导。
Data Retrieval: If data locations are returned in the query result set, then specific guidance entries can be retrieved and possibly cached locally.
数据检索:如果在查询结果集中返回数据位置,则可以检索特定的指导条目,并可能在本地缓存。
An operator or application may need to identify new, updated, or deleted guidance in a security automation data store for which they have been authorized to access. This may be achieved by querying or iterating over guidance in a security automation data store, or through a notification mechanism that generates alerts when changes are made to a security automation data store.
操作员或应用程序可能需要在安全自动化数据存储中识别新的、更新的或删除的指南,他们已被授权访问这些指南。这可以通过查询或迭代安全自动化数据存储中的指南来实现,或者通过通知机制来实现,该通知机制在对安全自动化数据存储进行更改时生成警报。
Once guidance changes have been determined, data collection and evaluation activities may be triggered.
一旦确定指导变更,可能会触发数据收集和评估活动。
This usage scenario employs the following building blocks defined in Section 2.1.1 above:
此使用场景采用了上文第2.1.1节中定义的以下构建块:
Data Change Detection: Allows an operator or application to identify guidance changes in a security automation data store for which they have been authorized to access.
数据更改检测:允许操作员或应用程序在安全自动化数据存储中识别他们已被授权访问的指导更改。
Data Retrieval: If data locations are provided by the change detection mechanism, then specific guidance entries can be retrieved and possibly cached locally.
数据检索:如果数据位置由更改检测机制提供,则可以检索特定的指导条目,并可能在本地缓存。
This memo documents, for informational purposes, use cases for security automation. Specific security and privacy considerations will be provided in related documents (e.g., requirements, architecture, information model, data model, protocol) as appropriate to the function described in each related document.
为了便于参考,本备忘录记录了安全自动化的用例。相关文件(例如,需求、架构、信息模型、数据模型、协议)将根据每个相关文件中描述的功能提供具体的安全和隐私注意事项。
One consideration for security automation is that a malicious actor could use the security automation infrastructure and related collected data to gain access to an item of interest. This may include personal data, private keys, software and configuration state that can be used to inform an attack against the network and endpoints, and other sensitive information. It is important that security and privacy considerations in the related documents indicate methods to both identify and prevent such activity.
安全自动化的一个考虑因素是,恶意参与者可以使用安全自动化基础设施和相关收集的数据来访问感兴趣的项目。这可能包括可用于通知针对网络和端点的攻击的个人数据、私钥、软件和配置状态,以及其他敏感信息。重要的是,相关文件中的安全和隐私注意事项应指明识别和防止此类活动的方法。
For consideration are means for protecting the communications as well as the systems that store the information. For communications between the varying SACM components, there should be considerations for protecting the confidentiality, data integrity, and peer entity authentication. For exchanged information, there should be a means to authenticate the origin of the information. This is important where tracking the provenance of data is needed. Also, for any systems that store information that could be used for unauthorized or malicious purposes, methods to identify and protect against unauthorized usage, inappropriate usage, and denial of service need to be considered.
需要考虑的是保护通信以及存储信息的系统的方法。对于不同SACM组件之间的通信,应考虑保护机密性、数据完整性和对等实体身份验证。对于交换的信息,应该有一种方法来验证信息的来源。在需要跟踪数据来源的情况下,这一点很重要。此外,对于存储可能用于未经授权或恶意目的的信息的任何系统,需要考虑识别和防止未经授权使用、不当使用和拒绝服务的方法。
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, DOI 10.17487/RFC3444, January 2003, <http://www.rfc-editor.org/info/rfc3444>.
[RFC3444]Pras,A.和J.Schoenwaeld,“关于信息模型和数据模型之间的差异”,RFC 3444,DOI 10.17487/RFC3444,2003年1月<http://www.rfc-editor.org/info/rfc3444>.
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, <http://www.rfc-editor.org/info/rfc3954>.
[RFC3954]Claise,B.,Ed.,“Cisco Systems NetFlow服务导出版本9”,RFC 3954,DOI 10.17487/RFC3954,2004年10月<http://www.rfc-editor.org/info/rfc3954>.
Acknowledgements
致谢
Adam Montville edited early versions of this document.
亚当·蒙特维尔编辑了本文件的早期版本。
Kathleen Moriarty and Stephen Hanna contributed text describing the scope of the document.
凯瑟琳·莫里亚蒂(Kathleen Moriarty)和斯蒂芬·汉娜(Stephen Hanna)提供了描述文件范围的文本。
Gunnar Engelbach, Steve Hanna, Chris Inacio, Kent Landfield, Lisa Lorenzin, Adam Montville, Kathleen Moriarty, Nancy Cam-Winget, and Aron Woland provided text about the use cases for various revisions of this document.
Gunnar Engelbach、Steve Hanna、Chris Inacio、Kent Landfield、Lisa Lorenzin、Adam Montville、Kathleen Moriarty、Nancy Cam Winget和Aron Woland提供了关于本文档各种修订版用例的文本。
Authors' Addresses
作者地址
David Waltermire National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 United States
David Waltermire国家标准与技术研究所美国马里兰州盖瑟斯堡路100号局,邮编:20877
Email: david.waltermire@nist.gov
Email: david.waltermire@nist.gov
David Harrington Effective Software 16 Bayview Drive Westerly, Rhode Island 02891 United States
David Harrington有效软件美国罗得岛州湾景大道西侧16号02891
Email: ietfdbh@gmail.com
Email: ietfdbh@gmail.com