|
We spent long conversations on BPMN and BPEL during the national smart grid process. We finally went another way for two reasons:
1) Our primary need to was negotiate schedules for simple elements, i,e, schedule moments similar to those for which one receives a meeting request (ICAL).
2) We felt the elements of schedule and duration were not chosen properly to allow relocation. Clearly all schedules include three elements Begin-duration-end. Given any two, one can compute the third. Most such languages give primacy to one of the end points.
Must begin before or at (or by) ttttt. Must end by after tttt. We chose to focus on the duration. This enabled us to schedule a complex sequence by saying step 4 is four hours and starts at 9:00. All other elements in a sequence could be computed by posting
the target duration.
3) We wanted the schedule to be semantically compatible with the way humans schedule their lives.
Out strongest target was Power Generation. Consider a service advertisement (WSDL) for a generator:
A. Lead time: call us at least an hour before you want it turned on. (Duration)
B. Start-time: it takes 20 minutes to ignite system.
C. Ramp Time: It takes 35 minutes to the generator up to full power. There will be a predictable effect on the grid during this period.
D. Run-Time: I want the generator to run for some contracted time (Service Entry Point)
E. Ramp-Down: it takes 20 minutes for generator to be shut down.
F. Minimum Time Between Invocations 8 hrs
Using the service one can schedule the sequence fully be hitting (D) to run for 16 hours starting at 9:00 AM. That creates begin and end times to easily compute the begin time for all other points. (There are many more aspects, this simply describes the logic
behind it.)
Or consider the team working the conference.
One Hour Set up Booth (Team A)
Half Hour set up Registration (Customer Team)
Undefined Hours, Conference
Half an Hour, put away Sales Literatire
Two Hours take apart, pack Booth.
Once again, the hour that the conference is open computes to direct posting to the different team schedules.
BPMN clearly has the most mature existing code set.
BPEL has its advocates and I almost did a very large project in in 4 years ago.
tc
From: openc2-imple@lists.oasis-open.org <openc2-imple@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com>
Sent: Wednesday, July 17, 2019 3:54 PM
To: oasis.oc2.icsc <openc2-imple@lists.oasis-open.org>
Subject: [openc2-imple] CACAO
FYI to IC-SC members in case you hadnât seen the attached on a new OASIS TC on CACAO and may be interested in joining that TC as well. CACAO is âCollaborative Automated Course of Action Operationsâ basically a standard for sharing âplaybooksâ.
It was (maybe still will be?) an IETF group started by a common crew of OpenC2 and STIX (Bret, Allan, Jyoti are the co-authors of the IETF document (https://datatracker.ietf.org/doc/draft-jordan-cacao-charter/?include_text=1)
and it specifically mentions OpenC2 as one of the potential choices for the atomic actions in the playbook.
I think CACAO is already on the IC-SC list of things that âtransportâ (or in this case âuseâ) OpenC2. If it isnât, it should be (sftractal opinion, not TC chair pronouncement). Iâm not advocating IC-SC doing anything. I assume if OpenC2 is lacking in anything
CACAO needs, then theyâll tell us what needs changing/adding and weâll handle it (as opposed to them creating a parallel language because we donât have something they need). This email is just FYI so members with an interest can participate.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From: Chet Ensign <chet.ensign@oasis-open.org>
Date: Tuesday, July 16, 2019 at 10:29 AM
To: "tc-announce@lists.oasis-open.org" <tc-announce@lists.oasis-open.org>, "members@lists.oasis-open.org" <members@lists.oasis-open.org>, OASIS Charter Discuss List <oasis-charter-discuss@lists.oasis-open.org>, OASIS TAB <tab@lists.oasis-open.org>
Subject: [members] Call for Comment: proposed Charter for Collaborative Automated Course of Action Operations (CACAO) TC
OASIS Members:
A draft TC charter has been submitted to establish the Collaborative Automated Course of Action Operations (CACAO) Technical Committee. In accordance with the OASIS TC Process Policy section 2.2: (https://www.oasis-open.org/policies-guidelines/tc-process#formation)
the proposed charter is hereby submitted for comment. The comment period shall remain open until 29 July 2019 23:59 UTC.
OASIS maintains a mailing list for the purpose of submitting comments on proposed charters. Any OASIS member may post to this list by sending email to:
oasis-charter-discuss@lists.oasis-open.org. All messages will be publicly archived at:
http://lists.oasis-open.org/archives/oasis-charter-discuss/. Members who wish to receive emails must join the group by selecting "join group" on the group home page:
http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/. Employees of organizational members do not require primary representative approval to subscribe to the oasis-charter-discuss
e-mail.
A telephone conference will be held among the Convener, the OASIS TC Administrator, and those proposers who wish to attend within four days of the close of the comment period. The announcement and call-in information will be noted on the OASIS Charter Discuss
Group Calendar.
We encourage member comment and ask that you note the name of the proposed TC (CACAO) in the subject line of your email message.
---
Section 1: TC Charter
(1)(a) TC Name
Collaborative Automated Course of Action Operations (CACAO) for Cyber Security
(1)(b) Statement of Purpose
This TC will create a standard that implements the course of action playbook model for cybersecurity operations. Each type of collaborative course of action playbook, such as prevention, mitigation and remediation, will consist of a sequence of cyber defense
actions that can be executed by the various technological solutions that can act on those actions. These course of action playbooks should be referenceable by other cyber threat intelligence that provides support for related data such as threat actors, campaigns,
intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures.
This TC may submit the specifications produced by this TC to other standards bodies (e.g., ITU-T, ETSI) for additional ratification.
Business Benefits
To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together form a course of action playbook that
can be used to protect systems, networks, data, and users. The problem is, once these course of action playbooks have been created there is no standardized and structured way to document them or easily share them across organizational boundaries and technological
solutions.
(1)(c) Scope
This solution will specifically enable:
1. the creation and documentation of course of action playbooks in a structured machine-readable format
2. organizations to digitally sign course of action playbooks
3. the securely sharing and distribution of course of action playbooks across organizational boundaries and technological solutions
4. the creation and documentation of processing instructions for course of action playbooks in a machine readable format
It is out of scope of the WG to define or recommend actual investigation, detection, prevention, mitigation, and remediation steps for a given specific threat (e.g., defining how to remediate Fuzzy Panda on Windowsâ 10). The TC will not consider how shared
actions are operationalized on specific systems, except where it is necessary for those actions to interact with the playbook including the response expected for a specific action or step.
(1)(d) Deliverables
This TC has the following major goals and deliverables
- CACAO Use Cases and Requirements
- The TC will identify and document the core requirements needed to support the common use cases that are done today.
- CACAO Functional Architecture: Roles and Interfaces
- The TC will specify the system functions and roles that are needed to enable collaborative courses of action playbooks.
- CACAO Protocol Specification
- The TC will identify and standardize the configuration for at least one protocol that can be used to distribute course of action playbooks over the interfaces identified in the CACAO functional architecture.
- CACAO Data Model
- This TC will define a normative data model for CACAO using property tables similar to how the OASIS STIXv2 data model was defined. This data model will be designed to explicitly work with I-JSON and all examples will be done in JSON. The TC will also define
JSON as the mandatory to implement serialization for this version of CACAO. The TC may decide to also document the data model in other non-normative forms that would be located in an appendix.
- CACAO Interoperability Test Documents
- This TC will define and create a series of tests and documents to assist with interoperability of the various systems involved. These documents can be used by technological solutions adopting the CACAO course of action playbooks to help ensure that they
do so in an interoperable manner. The TC will decide how best to publish these documents.
(1)(e) IPR Mode
This TC will operate under the Non-Assertion IPR mode as defined in the OASIS Intellectual Property Rights (IPR) Policy.
(1)(f) Audience
Security Vendors, Incident Responders, Security Operation Centers (SOCs), Cyber Defence Centers, Threat Intelligence Analysts, Large Enterprise, Governments
(1)(g) Language
The CACAO TC will conduct its business in English.
(Optional References for Section 1)
https://www.lookingglasscyber.com/blog/cacao-a-future-for-collaborative-cybersecurity-course-of-action/
Section 2: Additional Information
(2)(a) Identification of Similar Work
We do not know of any existing open source or open standard solutions that address security playbooks. There are several proprietary solutions that exist, but those are not shareable in an open standards way. Some solutions like BPMN exist that deal with process
management for a business in XML format. However, this group does not believe that BPMN is the best solution for trying to solve the cyber security playbook problem. Some additional frameworks such as:
https://nifi.apache.orgâ
https://camunda.com/
may be utilized or referenced in the design of CACAO playbooks.
(2)(b) First TC Meeting
Tuesday September 24th 20th 2019 at 11:00 AM US-ET and will be done via Zoom.
(2)(c) Ongoing Meeting Schedule
The TC will plan on having bi-weekly meetings on Tuesdays at 11:00 AM US-ET.
(2)(d) TC Proposers
Bret Jordan - Bret_Jordan@symantec.com
Allan Thomson - athomson@lookingglasscyber.com
Jason Keirstead - Jason.Keirstead@ca.ibm.com
Allen Hadden - ahadden@us.ibm.com
Arnaud Taddei - arnaud_taddei@symantec.com
(2)(e) Primary Representatives' Support
âCACAO Technical Committee represents a significant opportunity to define a standard mechanism for security playbook for security operations and incident response. LookingGlass Cyber Solutions firmly supports the creation of this TC and will provide active
support in creating the specificationsâ - Allan Thomson, CTO, LookingGlass Cyber Solutions.
âThe need for automated and shareable cyber security playbooks is critical to improving operational cyber security. CACAO will enable organizations, both big and small, to prevent, mitigate, or remediate cyber threats more quickly and with greater confidence.
Symantec Corporation fully supports the creation of this TC and the participation of our proposer(s) listed above.â - Bret Jordan, Director Office of the CTO, Symantec Corporation.
"The ability to efficiently collaborate across vendors on incident response actions and playbooks, will fill a critical gap in the cybersecurity operations ecosystem, and enable better outcomes for our clients. IBM Security is proud to support the formation
of this TC and the participation of our proposers listed above." - Jason Keirstead - Chief Architect of Threat Management, IBM Security
(2)(f) TC Convener
Bret Jordan - bret_jordan@symantec.com
(2)(g) OASIS Member Section
N/A
(2)(h) Anticipated Contributions
Introduction
https://datatracker.ietf.org/doc/draft-jordan-cacao-introduction/
(2)(i) FAQ Document
N/A
(2)(j) Work Product Titles and Acronyms
CACAO
--
|