OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cacao message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cacao] Preventative Action


I think thatâs reasonable example.

 

However, that specific example might run into problems especially if the update to OpenSSL hasnât been verified for compatibility to all systems currently deployed and their particular configurations matching the new version.

 

So at a minimum the playbook should really be

 

  1. Receive notification of OpenSSL patch
  2. Verify if patch includes critical or major security fixes
  3. Verify patch compatible with corporate systems running OpenSSL
  4. Schedule upgrade to all systems across org at time that is least obtrusive to business operations while ensuring done on a timely basis
  5. Verify all systems have been upgraded and are operational without errors

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: Andrew Storms <storms@newcontext.com>
Date: Tuesday, February 4, 2020 at 9:54 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Andrew Storms <storms@newcontext.com>, "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Preventative Action

 

So for example:

 

Set a policy in which anytime there is a security update to OpenSSL, just always deploy it.

 

On Tue, Feb 4, 2020 at 9:51 AM Allan Thomson <athomson@lookingglasscyber.com> wrote:

In my mind preventative might be something like deploying patches to IT systems whenever a new CVE# is published where this an available patch to prevent that exploit occurring.

 

I know this could be considered mitigation but for me mitigation is more about an active attack exploiting that vulnerability where other actions can take place to not just prevent but also potentially respond to the attacker in ways as part of an overall mitigation of the attacker not just âpreventâ in the 1st place.

 

Remediation occurs when an exploit was successful and systems need to be cleaned up and potentially further changes occur as part of the remediation recommendations that would prevent further exploits.

 

I agree all of these descriptions overlap somewhat. But in general I think they all represent slightly different events in time over the lifecycle of the SecOps team.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: <cacao@lists.oasis-open.org> on behalf of Andrew Storms <storms@newcontext.com>
Date: Tuesday, February 4, 2020 at 9:47 AM
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: [cacao] Preventative Action

 

I'd like some help in better understanding the Preventative action type.


What is unique to a Preventative action that is different from Remediative or Mitigative? I recognize that there is some overlap, however it would be great to have 1 example to demonstrate the uniqueness of Preventative that would qualify it as needing its own action type.

 

In order to try and get my head around this, I did a quick matrix of the current examples and mapped them to each action type. What I'm not seeing is a use case where Preventative would not have already been categorized as either mitigative or preventative.

 

Does anyone have a good and unique example for Preventative?

 

Known Threat

Blocking Rules

Affect Policies

Blackhole

Sinkhole

Blacklist

Patch

Investigative

Maybe

N

N

N

N

N

N

Mitigative

Y

Y

Y

Y

Y

Y

Y

Remediative

Y

Y

Y

Y

Preventative

Y

Y

Y

Y

Y

Y

Y

 

 

 

 

Thanks

-A

 

--

Andrew Storms

VP of Security Services

 707-477-4335

Error! Filename not specified.  Error! Filename not specified.

 


 

--

Andrew Storms

VP of Security Services

 707-477-4335

Image removed by sender.  Image removed by sender.

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]