Posture Attribute Collection and Evaluation (PACE) is an Open Cybersecurity Alliance (OCA) project. Posture assessment generally consists of understanding, for a given computing resource (or set of computing resources), software load, composition of that software load, patch levels, vulnerability (implied to be software vulnerability), and configuration state. Together, these attributes of a computing resource represent its cybersecurity posture. PACE will leverage and/or contribute to Open Cybersecurity Alliance (OCA) Ontology and OpenC2 for command and control. PACE will be an instantiation of the IETF Security Automation and Continuous Monitoring (SACM) group’s architecture.
Initially, the project intends to focus on building the pipes and connectors between components, leveraging existing payload formats such as SCAP/OVAL, SBOM, etc. Later phases of the project may consider updating payload formats to include other types (i.e. NETCONF/RESTCONF, InSpec, Puppet, Ansible, etc.)
As of October 2021, the PACE prototyping effort is focused on implementing a version of the Security Automation and Continuous Monitoring (SACM) architecture documented in this Internet Draft (expires January 2022). The draft focuses on capabilities for collection and evaluation of "security posture attributes", and uses RFC 7632, Endpoint Security Posture Assessment: Enterprise Use Cases, as a reference. Current PACE efforts are prototyping posture attribute collection using open source tools such as osquery and nmap, using OpenC2 to control collection activities. An OpenC2 Actuator Profile (AP) for Security Posture Attribute Collection is an anticipated product of this work.
A Security Posture website has been created to capture PACE use cases and operating scenarios. Contributors are encouraged to review the Security Posture By Example pages and both enhance existing descriptions and add new use cases for consideration by the PACE project.
PACE holds monthly meetings via Zoom on the second Monday of each
month from 1:00-1:45 pm Eastern Time each week. Meeting
information can be found on the PACE
calendar.
(Updated 3 October 2022)
Documentation related to PACE protoptyping is maintained in the OCA PACE GitHub respository. The following documents help to illustrate SACM concepts, their connection to OpenC2, and the initial direction of the PACE protoptying effort, along with possible future use cases that could be implemented.
-
SACM and OpenC2 Concept starts from the high level SACM architecure contained in the Internet Draft and illustrates a concept for applying OpenC2 to its implemenation. This concept document also illustrates a potential use for the presently-undefined OpenC2 notification message concept.
-
The 18 October 2021 Status Update illustrates messages flows and gives an overview of the prototyping network environment.
-
The repository includes use cases to illustrate prioritizing intrustion alerts and theat hunting triggered by a indicator received as a STIX Cyber Observable object.
Information contained in the OCA documentation repository may also be helpful.
The PACE prototyping work will likely also include the retrieval of Software Bill of Materials (SBOM) objects that play a role in various cybersecurity scenarios, such as this vision for a Comply to Connect implementation captured for a previous OpenC2 plugfest.
The PACE prototyping effort is a conceptual successor to prototyping previously done related to the Security Content Automation Protocol, v2.
- SCAP v2 Data Collection Architecture - Document, 18 August 2020
- Data Collection Architecture - Fall Workshop briefing, 29 September 2020
- SCAPv2 and OpenC2 - Fall Workshop briefing, 29 September 2020
See Frequently Asked Questions for more information about PACE