Comments (17)
Thanks for the post, Adam. You bring up some good points in regards to how we want to scope our OCA efforts and where we draw the line. Your thoughts will bring up some good discussion across the PGB and architecture teams. Russ
from documentation.
Adam, Your approach sounds reasonable to me. The object is two part 1) create something that can be used for communication to the outside world (ergo simplicity) and create something that is a scoping reference to suggest where unsatisfied work lives (not dictate work to be done). I think that your idea is clearly aligned with these objectives.
I have a second question for you. We have had discussions about C2, Open DXL, Stix, etc. These don't strictly show up in the logic that you are advocating. Got any thoughts about how we capture this logic as well? I'm not saying that it has to be a single graphic.
from documentation.
Thanks @swood-tripwire. Yes, I do have additional thoughts. If I look to what SACM and SCAP 2.0 has been drawing up, we have defined specific architectural roles and therefore have identified a variety of interfaces.
For example, the following describes the intent behind SACM:
+-----------------+ +--------------------+
| Orchestrator(s) | | Repositories/CMDBs |
+---------^-------+ +----------^---------+
| | +--------------------+
| | | Downstream Uses |
| | | +----------------+ |
+-----------v------------------------v------+ | | Analytics | |
| Integration Service <------> +----------------+ |
+-----------^--------------------------^----+ | +----------------+ |
| | | | Reporting | |
| | | +----------------+ |
+-----------v-------------------+ | +--------------------+
| Collection Sub-Architecture | |
+-------------------------------+ |
+---------------v---------------+
| Evaluation Sub-Architecture |
+-------------------------------+
Given the above, we see that there is an orchestration role, there is a repository role, there are a variety of downstream uses, and of course collection and evaluation sub-architectures.
Now, imagine we're looking at a configuration management workflow. It shouldn't be a stretch to define configuration-management-specific roles and interfaces that participate in an architecture such as this one.
A more detailed view of the above:
+----------------------------------------------------------+
| Orchestrator(s) |
+-----------+----------------------------------------------+
| +------------------------------+
| | Posture Attribute Repository |
| +--------------^---------------+
Perform |
Collection |
| Collected Data
| ^
| |
+-----------v------------------------------+---------------+
| Integration Service |
+----+------------------^-----------+------------------^---+
| | | |
v | v |
Perform Collected Perform Collected
Collection Data Collection Data
| ^ | ^
| | | |
+----v-----------------------+ +----|------------------|------+
| Posture Collection Service | | | Endpoint | |
+---^------------------------+ | +--v------------------+----+ |
| | | |Posture Collection Service| |
| v | +--------------------------+ |
Events Queries +------------------------------+
^ | (PCS resides on Endpoint)
| |
+---+-------------------v----+
| Endpoint |
+----------------------------+
In the above, we show specific flows with specific information moving through the fabric between the various components that fulfill specific roles (note that one component can play more than one role, and that is by design). This is the level where, as dictated by the convention/semantics conveyed in the interface specification (i.e. an OpenDXL Ontology interface), the various data formats would be known.
Hopefully this makes some sense. Essentially, we could choose to create three levels of diagram. One would be the security program view I conveyed by submitting this issue. The next level down could be the core or foundational roles we expect to support the various workflows demanded by the security program. The next level down could be program-/tool-specific workflow perspectives.
Thoughts?
from documentation.
from documentation.
from documentation.
Hi @JasonKeirstead, I'm sorry I don't. I just copied directly from the SACM draft. If you want to create one in Draw.io, that'd be fine, or I can add it to my list to get done this week. Which of the two diagrams is the most interesting? Or, did you need for both?
from documentation.
The detailed one is what I am thinking. I believe this could have OCA technologies overlayed into it.
Going to work on it now.
from documentation.
@adammontville Please review at your leisure...
from documentation.
Thanks @JasonKeirstead for creating that diagram. I think my initial line of thinking was that the SACM roles defined (Posture Collection Service, Posture Attribute Repository, etc.) could be on the same fabric as everything else, so I'm curious about the split. That said, I'm assuming that both the Security Data Fabric and the Integration Service in the diagram you created could be Open DXL.
I'm also less familiar with all that comes with the label "SOAR"... The Orchestrator in SACM is really a catchall for any orchestration that needs to take place for a supported workflow, and the collection is really all about state assessment and (eventually) behavioral observation.
from documentation.
@adammontville I was trying to maintain the currennt arch. that SACM created and just overlay it. I didn't want to presume to re-do the SACM arch.
from documentation.
@adammontville RE SOAR, this is, I think anyway, a bit of a different beast than the type of orchestration being disucssed in SACM. In SOAR the orchstreation is happening during the incident response life cycle. This is much more in the IACD - esque space. Next step maybe to take IACD arch. and also try to overlay it on this same diagram (which may replace the SOAR box)
from documentation.
@adammontville and @JasonKeirstead , Would you guys be game to do a walk through at our next working group meeting?
from documentation.
@JasonKeirstead - Thanks for the additional explanation. When I see "SOAR" I tend to think of it as SOAR over an entire security program and not just incident response.
@swood-tripwire - I think a walk through would be good.
from documentation.
I apologize because I haven't had time for OCA and so I'm terribly behind. Trying to follow this issue thread is hard, so I may be way off base. But I'm missing what the 'outputs' are. Assume the system works perfectly and all the interfaces work and all the boxes do their jobs, then what about this makes the organization more secure (ie reduces the risk to the business)? I think there has to be some 'output' somewhere where either something is presented to decision makes to act on, or the system automagically updates itself and changes something (eg updates a firewall rule, sends a file to malware detection, quarantines an infected endpoint, ...). In the IACD architecture it would 'acts'. Is that just the SOAR? And isn't SOAR connected to endpoints and security controls. I think we need to show something that shows an output we can tie to value (eg security controls changing)
from documentation.
@sparrell The easiest way to think about this might be to say that almost every single thing in the IACD architecture would replace that one "SOAR" box. That would be step 3 here, to merge this all in.
from documentation.
New attempt...
from documentation.
Might I suggest applying a bit of the C4 model to this latest iteration.
from documentation.
Related Issues (18)
- Need to define what this repo is for HOT 2
- Architecture: Security Automation Workflow Enumeration HOT 2
- Update readme
- How is the security system secured from attackers? HOT 6
- Manager component - unclear what it is HOT 1
- Posture Collection System HOT 2
- Do usecase document in markdown instead of pdf to allow PR's HOT 1
- Fix broken images links in readme HOT 1
- Create System Landscape Diagram (C4) to capture high level OCA architecture
- Create C4 diagrams for Threat Intelligence Sharing System
- Need to evolve the architecture terminology document (iterative approach)
- Align SCAP with OpenDXL Ontology. HOT 2
- Evolve our current use cases to drive our architecture definitions
- Suggestion: Diagrams and Documents should include an Acronym Table HOT 1
- This repo need a license file HOT 4
- broken links on root README
- Architecture: Investigate C4 Model for Diagrams HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from documentation.