OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

Duncan â thanks for the comments.
 
On #1 -> I agree with the change. It is the intention is not in the words of what you suggested that we allow such extensions not just vendor ones. We can update the rquirements in Rev #2 after the ballot closes.
 
On #2 -> In general, I feel that this requirement is just a * should * not a must anyway. The requirements document probably overstates it as required based on the majority case. The simplest solution to making progress is that we
just change the requirement from must to a should in the next rev. If others want to add additional language on the cases you raised, please suggest the exact proposed text. Otherwise we will do the minimum edit possible to address your (valid) concerns.
 
Regards
 
Allan
 

From: <cacao@lists.oasis-open.org> on behalf of "duncan sfractal.com" <duncan@sfractal.com>
Date: Wednesday, March 18, 2020 at 4:44 AM
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: [cacao] Comments on Playbook Requirements


 





THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLASS





I apologize that I have let my voting rights lapse. If I could have voted, I would have voted yes with comments. My comments are :
In section 2.2, Interop 2, Extensions: I propose changing â Support vendor-specific extensions â to â Support
industry-specific, enterprise-specific, and vendor-specific extensions â. My logic is the previous bullet says â Support deployment and use within an enterprise
consisting of different vendors. Allow sharing of playbooks between enterprises with different environments, solutions, and vendors â. I agree vendors will want to specify how to meet generic needs with their specific technology
(the original wording) but I think that users might also need similar customizations (enterprise-specific) and that the ISACs/ISAOs might similarly also need customizations (industry-specific).
In section 2.10, Sec.2, Transport: â All requests and responses must be conveyed over a secure (encrypted and authenticated) transport protocol such as
HTTPS (but not limited). â â I think there are more cases than specified and not all cases in all situations have same the requirements.



Case 1: the playbook executor and device doing the action â I agree mutual authentication is required. I think non-repudiation is also required. I donât agree that confidentiality (ie encrypted channel) is required in all cases. I
believe  there are cases in IoT where confidentiality is not required on the content (eg mass update to new software version) as long as integrity in maintained, and the cost of full encryption (in either processing or delay) would be higher than justified.
Iâm thinking in particular of cases where SPA (single packet authentication) is used.
Case 2: playbook creator to playbook executor â I agree authentication of creator is required but not necessarily mutual authentication. I believe there would be cases where playbooks could be âpublicâ for anyone to view. I think non-repudiation
of creator would always be required. And confidentiality (eg full encryption) would be unnecessary in some cases (eg âpublicâ), and required in others.

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at  http://vsre.info /

 
 

From: <cacao@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Tuesday, March 17, 2020 at 7:35 PM
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Groups - Ballots opened: 2


 

As mentioned on the working call today, the Requirements and Terminology documents have been posted for ballot approval.
 
Both documents are committee notes and are stakes in the ground on what our specifications will deliver on.
 
The minutes from the call including the slides will be posted shortly if not already done.
 
For anyone not on the call today we would highly encourage you review the slides as we will be delivering a draft specification at the next working call.
 
Allan
 

From: <workgroup_mailer@lists.oasis-open.org> on behalf of "tc_admin@oasis-open.org" <tc_admin@oasis-open.org>
Date: Tuesday, March 17, 2020 at 3:09 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Subject: [cacao] Groups - Ballots opened: 2


 





THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLAS S





"Approval of Playbook Requirements Version 1.0
WD 02 as Committee Note Draft 01" has opened.




Ballot Title :

Approval of Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01








Question
Do you approve the Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01?


Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT

Description
Do you approve Playbook Requirements Version 1.0 WD 02 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative?



WD02 Release: https://www.oasis-open.org/committees/document.php?document_id=66717&wg_abbrev=cacao



This document defines the core requirements for how cyber security playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions.


Vote


Yes
No
Abstain







Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC
Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT





"Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01" has opened.




Ballot Title :

Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01








Question
Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts as a Committee Note Draft 01?


Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT

Description
Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative?



WD01 Release: https://www.oasis-open.org/committees/document.php?document_id=66718&wg_abbrev=cacao



This document defines the terminology for cyber security playbooks.

Vote


Yes
No
Abstain







Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC
Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT




 

Works for me. Thanks.
 

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at  http://vsre.info /

 
 

From: <cacao@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, March 18, 2020 at 10:52 AM
To: "duncan@sfractal.com" <duncan@sfractal.com>, "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Comments on Playbook Requirements


 

Duncan â thanks for the comments.
 
On #1 -> I agree with the change. It is the intention is not in the words of what you suggested that we allow such extensions not just vendor ones. We can update the rquirements in Rev #2 after the ballot closes.
 
On #2 -> In general, I feel that this requirement is just a * should * not a must anyway. The requirements document probably overstates it as required based on the majority case. The simplest solution to making progress is that we
just change the requirement from must to a should in the next rev. If others want to add additional language on the cases you raised, please suggest the exact proposed text. Otherwise we will do the minimum edit possible to address your (valid) concerns.
 
Regards
 
Allan
 

From: <cacao@lists.oasis-open.org> on behalf of "duncan sfractal.com" <duncan@sfractal.com>
Date: Wednesday, March 18, 2020 at 4:44 AM
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: [cacao] Comments on Playbook Requirements


 





THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLAS S





I apologize that I have let my voting rights lapse. If I could have voted, I would have voted yes with comments. My comments are :
In section 2.2, Interop 2, Extensions: I propose changing â Support vendor-specific extensions â
to â Support industry-specific, enterprise-specific, and vendor-specific extensions â. My logic is the previous bullet says â Support
deployment and use within an enterprise consisting of different vendors. Allow sharing of playbooks between enterprises with different environments, solutions, and vendors â. I agree vendors will want to specify how to meet
generic needs with their specific technology (the original wording) but I think that users might also need similar customizations (enterprise-specific) and that the ISACs/ISAOs might similarly also need customizations (industry-specific).
In section 2.10, Sec.2, Transport: â All requests and responses must be conveyed over a secure (encrypted and authenticated) transport protocol
such as HTTPS (but not limited). â â I think there are more cases than specified and not all cases in all situations have same the requirements.



Case 1: the playbook executor and device doing the action â I agree mutual authentication is required. I think non-repudiation is also required. I donât agree that confidentiality (ie encrypted channel) is required in all cases. I
believe  there are cases in IoT where confidentiality is not required on the content (eg mass update to new software version) as long as integrity in maintained, and the cost of full encryption (in either processing or delay) would be higher than justified.
Iâm thinking in particular of cases where SPA (single packet authentication) is used.
Case 2: playbook creator to playbook executor â I agree authentication of creator is required but not necessarily mutual authentication. I believe there would be cases where playbooks could be âpublicâ for anyone to view. I think non-repudiation
of creator would always be required. And confidentiality (eg full encryption) would be unnecessary in some cases (eg âpublicâ), and required in others.

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at  http://vsre.info /

 
 

From: <cacao@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Tuesday, March 17, 2020 at 7:35 PM
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Groups - Ballots opened: 2


 

As mentioned on the working call today, the Requirements and Terminology documents have been posted for ballot approval.
 
Both documents are committee notes and are stakes in the ground on what our specifications will deliver on.
 
The minutes from the call including the slides will be posted shortly if not already done.
 
For anyone not on the call today we would highly encourage you review the slides as we will be delivering a draft specification at the next working call.
 
Allan
 

From: <workgroup_mailer@lists.oasis-open.org> on behalf of "tc_admin@oasis-open.org" <tc_admin@oasis-open.org>
Date: Tuesday, March 17, 2020 at 3:09 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Subject: [cacao] Groups - Ballots opened: 2


 





THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLAS S





"Approval of Playbook Requirements Version 1.0
WD 02 as Committee Note Draft 01" has opened.




Ballot Title :

Approval of Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01








Question
Do you approve the Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01?


Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT

Description
Do you approve Playbook Requirements Version 1.0 WD 02 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative?



WD02 Release: https://www.oasis-open.org/committees/document.php?document_id=66717&wg_abbrev=cacao



This document defines the core requirements for how cyber security playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions.


Vote


Yes
No
Abstain







Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC
Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT





"Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01" has opened.




Ballot Title :

Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01








Question
Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts as a Committee Note Draft 01?


Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT

Description
Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative?



WD01 Release: https://www.oasis-open.org/committees/document.php?document_id=66718&wg_abbrev=cacao



This document defines the terminology for cyber security playbooks.

Vote


Yes
No
Abstain







Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC
Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT




 

These changes have been made to the master documents and will be part of the next working drafts.  Thanks, Bret PGP Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg. On Mar 18, 2020, at 9:45 AM, duncan sfractal.com < duncan@sfractal.com > wrote: Works for me. Thanks.   Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /     From:   < cacao@lists.oasis-open.org > on behalf of Allan Thomson < athomson@lookingglasscyber.com > Date:   Wednesday, March 18, 2020 at 10:52 AM To:   duncan@sfractal.com < duncan@sfractal.com >, cacao@lists.oasis-open.org < cacao@lists.oasis-open.org > Subject:   Re: [cacao] Comments on Playbook Requirements   Duncan â thanks for the comments.   On #1 -> I agree with the change. It is the intention is not in the words of what you suggested that we allow such extensions not just vendor ones. We can update the rquirements in Rev #2 after the ballot closes.   On #2 -> In general, I feel that this requirement is just a * should * not a must anyway. The requirements document probably overstates it as required based on the majority case. The simplest solution to making progress is that we just change the requirement from must to a should in the next rev. If others want to add additional language on the cases you raised, please suggest the exact proposed text. Otherwise we will do the minimum edit possible to address your (valid) concerns.   Regards   Allan   From:   < cacao@lists.oasis-open.org > on behalf of duncan   sfractal.com < duncan@sfractal.com > Date:   Wednesday, March 18, 2020 at 4:44 AM To:   cacao@lists.oasis-open.org < cacao@lists.oasis-open.org > Subject:   [cacao] Comments on Playbook Requirements   THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLAS S I apologize that I have let my voting rights lapse. If I could have voted, I would have voted yes with comments. My comments are : In section 2.2, Interop 2, Extensions: I propose changing â Support vendor-specific extensions â to â Support industry-specific, enterprise-specific, and vendor-specific extensions â. My logic is the previous bullet says â Support deployment and use within an enterprise consisting of different vendors. Allow sharing of playbooks between enterprises with different environments, solutions, and vendors â. I agree vendors will want to specify how to meet generic needs with their specific technology (the original wording) but I think that users might also need similar customizations (enterprise-specific) and that the ISACs/ISAOs might similarly also need customizations (industry-specific). In section 2.10, Sec.2, Transport: â All requests and responses must be conveyed over a secure (encrypted and authenticated) transport protocol such as HTTPS (but not limited). â â I think there are more cases than specified and not all cases in all situations have same the requirements. Case 1: the playbook executor and device doing the action â I agree mutual authentication is required. I think non-repudiation is also required. I donât agree that confidentiality (ie encrypted channel) is required in all cases. I believe  there are cases in IoT where confidentiality is not required on the content (eg mass update to new software version) as long as integrity in maintained, and the cost of full encryption (in either processing or delay) would be higher than justified. Iâm thinking in particular of cases where SPA (single packet authentication) is used. Case 2: playbook creator to playbook executor â I agree authentication of creator is required but not necessarily mutual authentication. I believe there would be cases where playbooks could be âpublicâ for anyone to view. I think non-repudiation of creator would always be required. And confidentiality (eg full encryption) would be unnecessary in some cases (eg âpublicâ), and required in others. Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /     From:   < cacao@lists.oasis-open.org > on behalf of Allan Thomson < athomson@lookingglasscyber.com > Date:   Tuesday, March 17, 2020 at 7:35 PM To:   cacao@lists.oasis-open.org < cacao@lists.oasis-open.org > Subject:   Re: [cacao] Groups - Ballots opened: 2   As mentioned on the working call today, the Requirements and Terminology documents have been posted for ballot approval.   Both documents are committee notes and are stakes in the ground on what our specifications will deliver on.   The minutes from the call including the slides will be posted shortly if not already done.   For anyone not on the call today we would highly encourage you review the slides as we will be delivering a draft specification at the next working call.   Allan   From:   < workgroup_mailer@lists.oasis-open.org > on behalf of tc_admin@oasis-open.org < tc_admin@oasis-open.org > Date:   Tuesday, March 17, 2020 at 3:09 PM To:   Allan Thomson < athomson@lookingglasscyber.com > Subject:   [cacao] Groups - Ballots opened: 2   THIS EMAIL ORIGINATES FROM OUTSIDE OF LOOKINGGLAS S Approval of Playbook Requirements Version 1.0   WD 02 as Committee Note Draft 01 has opened. Ballot Title :   Approval of Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01 Question Do you approve the Playbook Requirements Version 1.0 WD 02 as Committee Note Draft 01?   Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT Description Do you approve Playbook Requirements Version 1.0 WD 02 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative? WD02 Release:   https://www.oasis-open.org/committees/document.php?document_id=66717&wg_abbrev=cacao This document defines the core requirements for how cyber security playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions.   Vote Yes No Abstain Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01 has opened. Ballot Title :   Approval for Playbook Terminology Version 1.0 WD 01 as a Committee Note Draft 01 Question Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts as a Committee Note Draft 01?   Closing Date : Wednesday, 1 April 2020 @ 10:00 pm EDT Description Do you approve Playbook Terminology Version 1.0 WD 01 and all associated artifacts packaged together in the release listed below as a Committee Note Draft and designate the MS Word version of the document as authoritative? WD01 Release:   https://www.oasis-open.org/committees/document.php?document_id=66718&wg_abbrev=cacao This document defines the terminology for cyber security playbooks.   Vote Yes No Abstain Group : OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC Date Opened : Tuesday, 17 March 2020 @ 6:00 pm EDT Attachment: smime.p7s Description: S/MIME Cryptographic Signature