This is a working document.
Matrix representation of the three categories of log management (generation, monitoring, alerting) and the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).
| ONAP | ONAP | Service | Service | |
| Application | Infrastructure | Application | Infrastructure | |
|---|---|---|---|---|
| generation | ||||
| collection | ||||
| monitoring | ||||
| alerting | ||||
| response |
Phase 1 will focus on logs of ONAP events.
Phase 2 will focus on logs of events from services orchestrated by ONAP
Notes
At a high level there are 4 broad categories in regards to Security Event Management (Or is this a Security Event Lifecycle?)
**There probably a body of work we can reference that spells this out. ACTION: Literature review for that
- Generation
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Containers (xNFs)
- Infrastructure (Docker and K8S)
- There are a set of logs that both Docker and K8S generate that relate to security monitoring.
- That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Collection
- There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to.
- How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
- ONAP Next Generation Security & Logging Architecture#ONAPLogging
- old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2
- Monitoring
- Includes Enrichment, Analysis, and Reporting.
- It is expected that this function out of scope for ONAP. A CSP / MNO will make used of a SIEM. ONAP's role is to provide a means to export security event data. This is where analytics are stored and applied to the data the is ingested from ONAP.
- Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx
- Alerting
- Possibly to include mitigation and actions.
- If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.
- Response
Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)
- We need to disambiguate "Logging" vs "Data Collection".
- Logging from ONAP and Logging from xNF are not the same.
Terms
This is place where we can standardize our language.
- Security Data: This is raw data that by itself may not be enough to indicate a security event.
- Security Event:
- Analytic
QUESTIONS (Or Advanced Use Cases)
- In terms of security logging, should we handle ONAP components differently than Service Components hosted in ONAP?
- How do we handle the use case where ONAP is being used to deploy and manage a security infrastructure?
- What about security events in regards to the closed loop model? Adversarial AI will be an issue that will need security monitoring in the near future. Does this mean that orchestration / life cycle data from the DCAE needs to ingested by a SIEM?
References
- https://www.enisa.europa.eu/publications/security-in-5g-specifications
- https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks