I think that s reasonable example.
However, that specific example might run into problems especially if the update to OpenSSL hasn t been verified for compatibility to all systems currently deployed and their particular configurations matching the new version.
So at a minimum the playbook should really be
Receive notification of OpenSSL patch Verify if patch includes critical or major security fixes Verify patch compatible with corporate systems running OpenSSL Schedule upgrade to all systems across org at time that is least obtrusive to business operations while ensuring done on a timely basis Verify all systems have been upgraded and are operational without errors
Allan Thomson
CTO ( +1-408-331-6646)
LookingGlass Cyber Solutions
From: Andrew Storms <
storms@newcontext.com>
Date: Tuesday, February 4, 2020 at 9:54 AM
To: Allan Thomson <
athomson@lookingglasscyber.com>
Cc: Andrew Storms <
storms@newcontext.com>, "cacao@lists.oasis-open.org" <
cacao@lists.oasis-open.org>
Subject: Re: [cacao] Preventative Action
So for example:
Set a policy in which anytime there is a security update to OpenSSL, just always deploy it.
On Tue, Feb 4, 2020 at 9:51 AM Allan Thomson <
athomson@lookingglasscyber.com > wrote:
In my mind preventative might be something like deploying patches to IT systems whenever a new CVE# is published where this an available patch to prevent that exploit occurring.
I know this could be considered mitigation but for me mitigation is more about an active attack exploiting that vulnerability where other actions can take place to not just prevent
but also potentially respond to the attacker in ways as part of an overall mitigation of the attacker not just prevent in the 1 st place.
Remediation occurs when an exploit was successful and systems need to be cleaned up and potentially further changes occur as part of the remediation recommendations that would prevent
further exploits.
I agree all of these descriptions overlap somewhat. But in general I think they all represent slightly different events in time over the lifecycle of the SecOps team.
Allan Thomson
CTO ( +1-408-331-6646)
LookingGlass Cyber Solutions
From:
<
cacao@lists.oasis-open.org > on behalf of Andrew Storms <
storms@newcontext.com >
Date: Tuesday, February 4, 2020 at 9:47 AM
To: "
cacao@lists.oasis-open.org " <
cacao@lists.oasis-open.org >
Subject: [cacao] Preventative Action
I'd like some help in better understanding the Preventative action type.
What is unique to a Preventative action that is different from Remediative or Mitigative? I recognize that there is some overlap, however it would be great to have 1 example to demonstrate the uniqueness of Preventative that would qualify it as needing its
own action type.
In order to try and get my head around this, I did a quick matrix of the current examples and mapped them to each action type. What I'm not seeing is a use case where Preventative
would not have already been categorized as either mitigative or preventative.
Does anyone have a good and unique example for Preventative?
Known Threat
Blocking Rules
Affect Policies
Blackhole
Sinkhole
Blacklist
Patch
Investigative
Maybe
N
N
N
N
N
N
Mitigative
Y
Y
Y
Y
Y
Y
Y
Remediative
Y
Y
Y
Y
Preventative
Y
Y
Y
Y
Y
Y
Y
Thanks
-A
--
Andrew Storms
VP of Security Services
P 707-477-4335
Error! Filename not specified. Error!
Filename not specified.
--
Andrew Storms
VP of Security Services
P 707-477-4335