closes #25.

sacmwg · Jun 30, 2016 · eecd152 · eecd152 · djhaynes · Jun 30, 2016
1 parent 5eca0ca
commit eecd152
Showing 1 changed file with 51 additions and 42 deletions.
diff --git a/draft-ietf-sacm-vuln-scenario.xml b/draft-ietf-sacm-vuln-scenario.xml
@@ -230,11 +230,6 @@
             determining whether a set of endpoints is vulnerable
             according to the information contained in the
             vulnerability description information.</t>
-          <t hangText="Supplemental collection:">The task of collecting
-            specific endpoint information from the target endpoint,
-            that is not available from the endpoint management
-            capability, in order to make a determination about that
-            endpoint (vulnerability status, identification, etc.).</t>
         </list>
       </t>
 
@@ -251,7 +246,8 @@
             enterprise's security software tools can understand and
             use.</t>
           <t>The enterprise has a means of identifying enterprise
-            endpoints although assertions about some details of this
+            endpoints through the execution of Target Endpoint Discovery
+            Tasks although assertions about some details of this
             capability are made.</t>
           <t>The enterprise has a means of extracting relevant
             information about enterprise endpoints in a form that is
@@ -282,21 +278,26 @@
       <section title="Endpoint Management Capability">
         <t>An endpoint management capability is assumed to be in place
           within the enterprise, and is expected to collect a minimum
-          set of attributes from the endpoints under management, and
-          to establish an endpoint's identity within the scope of that
-          domain. Endpoint identity can be established by collecting
-          certain attributes (as part of the minimum set of
-          attributes) that allow for unique and persistent tracking of
-          endpoints on the enterprise network. Examples include, but
-          are not limited to, IP address, MAC address, Fully Qualified
-          Domain Names (FQDNs), pre-provisioned identifiers such as
-          Globally Unique Identifiers (GUIDs) or copies of serial
-          numbers, certificates, hardware identity values, or similar
-          attributes. All of the information collected by the endpoint
+          set of attributes from the endpoints under management via
+          Collection Tasks and to establish an endpoint's identity 
+          within the scope of that domain. Endpoint identity can be 
+          established by collecting certain identifying attributes, 
+          collectively known as the Target Endpoint Identifier, that 
+          allow for unique and persistent tracking of endpoints on 
+          the enterprise network. Examples include, but are not limited 
+          to, IP address, MAC address, Fully Qualified Domain Names 
+          (FQDNs), pre-provisioned identifiers such as Globally Unique 
+          Identifiers (GUIDs) or copies of serial numbers, certificates, 
+          hardware identity values, or similar attributes. To simplify 
+          the identification of an endpoint, a Target Endpoint Label may 
+          be created and assigned to refer to the Target Endpoint 
+          Identifier. All of the information collected by the endpoint
           management capability is stored, with appropriate metadata
-          (i.e. timestamp), in a central location. The endpoint
-          management capability is expected to be performed on an
-          ongoing basis, resulting in routine, or even event-driven,
+          (i.e. timestamp), in a central location and used to build up 
+          a Target Endpoint Characterization Record and Target Endpoint 
+          Profile via a Target Endpoint Characterization Task. The 
+          endpoint management capability is expected to be performed on 
+          an ongoing basis, resulting in routine, or even event-driven,
           collection of basic endpoint information.</t>
 
         <t>See <xref target="data-attribute-table"/> for
@@ -334,10 +335,11 @@
       <t>
         <list style="symbols">
           <t>Endpoint information collected by the endpoint management
-            capability is examined.</t>
+            capability is examined by the vulnerability management
+            capability through Evaluation Tasks.</t>
           <t>If the data possessed by the endpoint management
-            capability is insufficient, then necessary data is
-            collected from the target endpoint.</t>
+            capability is insufficient, a Collection Task is triggered
+            and the necessary data is collected from the target endpoint.</t>
         </list>
       </t>
 
@@ -358,21 +360,29 @@
         collected by the Endpoint Management Capability and available
         in a Repository. However, in other cases, the necessary
         endpoint information will not be readily available in a
-        Repository and a supplemental collection will be necessary. Of
-        course, an implementation of an endpoint management capability
-        may prefer to enable operators to perform supplemental
-        collection under certain circumstances, even when sufficient
-        information can be provided by the endpoint management
-        capability (e.g. there may be freshness requirements for
-        information). </t>
-      <t>Supplemental collection of endpoint information for the
-        purpose of vulnerability assessment does not necessarily need
-        to be a pull by the vulnerability assessment capability. Under
-        certain deployment scenarios, once the necessary detection
-        information is known, the information beyond that which is
-        available in the endpoint management capability can be pushed
-        to the vulnerability assessment capability by the endpoint
-        whenever that information changes.</t>
+        Repository and a Collection Task will be triggered to collect it
+        from the target endpoint. Of course, an implementation of an 
+        endpoint management capability may prefer to enable operators 
+        to perform this collection under certain circumstances, even 
+        when sufficient information can be provided by the endpoint 
+        management capability (e.g. there may be freshness requirements 
+        for information).</t>
+      <t>The collection of additional endpoint information for the 
+        purpose of vulnerability assessment does not necessarily need 
+        to be a pull by the vulnerability assessment capability.  Over 
+        time, some new pieces of information that are needed during 
+        common types of assessments might be identified. An endpoint 
+        management capability can be reconfigured to have this 
+        information delivered automatically. This avoids the need to 
+        trigger additional Collection Tasks to gather this information 
+        during assessments, streamlining the assessment process. Likewise, 
+        it might be observed that certain information delivered by an 
+        endpoint management capability is rarely used. In this case, 
+        it might be useful to re-configure the endpoint management 
+        capability to no longer collect this information to reduce network 
+        and processing overhead. Instead, a new Collection Task can be 
+        triggered to gather this data on the rare occasions when it is 
+        needed.</t>
 
       <t>See <xref target="data-attribute-table"/> for
         information-specific details.</t>
@@ -597,9 +607,8 @@
       </section>
       <section title="Secondary Assessment">
         <t>Within the SACM Architecture, the assessment task would be
-          handled by the Evaluator component. If pre-assessment data
-          is used, this would be stored on and obtained from a Data
-          Store component.</t>
+          handled by the Evaluator component. If previously collected
+          data is used, it would be obtained from a Data Store component.</t>
         <t>Within the SACM Architecture, the Internal and External
           Collector components could be used to allow enterprises to
           collect posture attributes that demonstrate compliance with
@@ -1020,7 +1029,7 @@
           <ttcol align="center"/>
           <ttcol align="center">vulnerability description data</ttcol>
           <ttcol align="center">Endpoint Identification and Initial
-            (Pre-Assessment) Data Collection</ttcol>
+            Data Collection</ttcol>
           <ttcol align="center">Endpoint Applicability and
             Assessment</ttcol>
           <ttcol align="center">Assessment Results</ttcol>