[CCE-WORKING-GROUP-LIST] Capturing CCE Info

The "parameters of interest" will change over time and that is why the
social processes must always be in place because the technology will not
know how to recalibrate.

My statement below about communities stabilizing (or sometimes
fragmenting) is just to point out what we have today. I'm in no way
trying to trivialize the social complexity, I'm trying to do the
opposite and highlight how these social problems are really the first
step and not the last.  I've watched over the years as PCI changed the
understanding of a community (retail and leisure) , I've seen the same
happen with many other regulations whereby there is a common bad thing
(cost) that will happen (get fired, get fined, get shamed, etc).

Indirectly, if we ask the question, if I don't do/apply/contribute-to
CCE:
- what (cost) bad thing will happen to me or my peers?
- what opportunity will be lost?
How we individually answer this question highlights how we all
understand CCE's progress over the years.

--tk

-----Original Message-----
From: Adam Montville [mailto:[hidden email]]

Sent: Monday, August 22, 2011 11:03 AM
To: Tim Keanini; Mann, Dave; [hidden email]
Subject: Re: [CCE-WORKING-GROUP-LIST] Capturing CCE Info



On 8/22/11 7:50 AM, "Tim Keanini" <[hidden email]> wrote:

>At the core of this discussion is simply the question: How does a CCE
>come in to being?
>This is ontogenesis.  http://en.wikipedia.org/wiki/Ontogeny
>It is the only way to get complex systems to stabilize.

Insightful as usual.

>
>Picture a control panel with two knobs: one labeled social, the other
>labeled technical :-) As we turn up the technical knob and are success,

>we may wash out some of the inconsistency and slowness with the social
>but never will the social ever reach zero unless we are dealing with a
>world model that is too complex for human understanding all together.

Agree.

>With CCE, we are dealing with a parameters space far more vast than we
>care or even should care about understanding so it then becomes a game
>of being able to make socially stable those "parameters of interest" so

>that we can automate our ability to witness them.

The "parameters of interest" will change over time.

>This is what the
>checklist programs have done so far.  Mind you, sometimes this social
>understanding cannot be made stable and if this is true, the benefits
>of the technical will be limited to fragmented communities as they have

>been for years now.

Is this statement suggesting that reaching a stable vocabulary between
our domains is not possible?  It seems that stabilization is a necessary
condition for effective automation.

>
>
>Yes, I have had too much coffee this morning.

Never.

>
>--tk
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Adam

>Montville
>Sent: Monday, August 22, 2011 8:31 AM
>To: Mann, Dave; [hidden email]
>Subject: Re: [CCE-WORKING-GROUP-LIST] Capturing CCE Info
>
>On 8/19/11 1:07 PM, "Mann, Dave" <[hidden email]> wrote:
>
>>>From: Adam Montville [mailto:[hidden email]] At the time,
>>>helping human analysts correlate was the requirement.  I believe now
>>>this has changed somewhat.  I would like to see the industry move in
>>>a
>
>>>direction that permits very complicated correlations in an automated
>>>manner.  As we mature beyond the C&A-motivated capabilities of asset,

>>>configuration, and vulnerability management into supporting specific
>>>security processes (I.e. Event correlation), we are going to be
>>>serving much different needs.
>>
>>I can totally understand this desire and aspiration.
>>
>>My sense is that we (the configuration audit/management) community are

>>facing a very thorny problem though - one whose economic and human
>>process problems are just as hard as the technical ones and the
>>technical ones are way hard.
>>
>>The core issue as I see it is how do you instrument a platform and
>>then
>
>>generate, expose and share executable content against that
>>instrumentation in a way that is a) economically feasible and b)
>>meaningful to the configuration audit community?
>
>I would really like to see us expand from this limitation to the
>configuration audit community. Incident handlers, for example, may also

>find CCE useful.
>
>>
>>Languages (e.g. like OVAL) are certainly needed but they aren't
>>sufficient.  Check logic needs to be written, or generated.   Some
>>suggest that OS/application vendors should generate this content but
>>others have noted the lack of economic incentives.
>>
>>To further complicate this, our use case analysis (both for CCE and
>>other related efforts) has repeatedly and consistently shown that
>>software vendors think of "configuration issues" in very different
>>terms than the configuration audit/management community does.  So,
>>there's the strong possibility for the "be careful what you wish for"
>>problem.  Machine consumable content that is auto-generated by a
>>process that is centered more on feature & code-base management may
>>not
>
>>be useful for configuration audit.
>
>Yes, we should be careful what we wish for, but right now I feel that
>we're at a point of flushing out some important semantic differences.
>Consider a world in which CCE, the specification, is used outside just
>the security context.  Would we still call it CCE?
>
>Also, my argument here is that, especially for incident response
>capabilities, understanding configuration issues from the software
>vendors' point of view is, perhaps, as important as viewing
>configuration issues in the security context (in fact, when
>investigating an incident, aren't all "configuration issues"
>security-related?).
>
>>
>>Another consideration... I don't see large scale automated
>>configuration audit content provisioning happening until the content
>>itself is largely auto-generated from other data stores.
>
>This is an important point to make and to be heard.
>
>>
>>As many of you know, I'm a nut about vintage bicycles.  I ride a 1979
>>Trek.  It was handmade in a barn in Madison, WI and many of the early
>>Trek workers went on to notable careers as custom hand-made bike
>>builders.  In fact, they had to find other work because by 1989, Trek
>>bikes were pretty much all produced by precision robotics.  As much of

>>a fan of hand-made bikes as I am, Trek's move to automation allowed
>>them to become an industry giant.
>>
>>I think configuration content at the level you're talking about will
>>need to be auto-created, at least to some degree.
>
>I agree.  We're at the point where we ought to be considering how this
>can happen.
>
>>
>>
>>Dave Mann wrote:
>>>>3) Since the issue of CCE's future has been raised, my sense is that

>>>>the important success goals for CCE's near to mid-term progress
>include:
>>>>+ Broader coverage of security guides and audit tool issues by CCE.
>>
>>Adam wrote:
>>>I'm wondering if this isn't too narrow a focus.  This relegates CCE
>>>to
>
>>>security-specific settings, and it's clear that this industry is
>>>coming to the realization that security-specific processes really
>>>support IT processes, and that IT processes encompass more than
>>>security-specific settings.
>>
>>In terms of vision, it is too narrow and that has been CCE's position
>>since the beginning.
>>
>>But, in terms of current realities it remains something of a stretch
>>goal for us.  We aren't close to hitting that goal yet.
>>
>>Even if we drop the hopes for machine readable content related to CCEs

>>and just stick with CCE's as currently defined, broadening the scope
>>beyond what is captured in security guides and config audit tools will

>>require that we auto-generate CCE data.  This turns out to be pretty
>hard.
>>
>>As many of you know, Microsoft has been working with the CCE team to
>>auto-generate CCE candidates.  We've had some wonderful initial
>>successes along with the expected hiccups.  IMO, they're to be
>>commended for working on this as hard as they have. They are certainly

>>well out in front of anybody else in this regard.
>
>I didn't realize this is ongoing work.  Happy to hear it.
>
>>
>>One of the issues that we've encountered (and I must emphasize this,
>>we've seen this with every single OS/App vendor we've worked with) is
>>that their internal data is fundamentally different from what is
>>codified in CCE. There are significant tensions around level of
>>abstraction issues for instance.  Software manufacturing is different
>>from configuration management and this is to be expected and I in no
>>way fault Microsoft or any other software vendor for it.
>
>So, perhaps this is another point of evidence to substantiate an
>assertion that we're at a place where we need to consider the two as
>separate, but related definitions.  I'm not sure of the "right" answer
>- there are likely many ways to figure this out.
>
>>
>>So, let me toss out a challenge to my friends in the configuration
>>audit/management space?
>>
>>Would your company be willing to work with us to attempt to
>>auto-generate CCE candidates from your internal configuration
>>audit/management repositories?
>
>I hope the answer is yes from many.
>
>>
>>
>>-Dave
>>==================================================================
>>David Mann | Principal Infosec Scientist | The MITRE Corporation
>>------------------------------------------------------------------
>>[hidden email] | cell:<a href="tel:781.424.6003" value="+17814246003">781.424.6003
>>==================================================================
>>
>>
>>
>>>
>>>>CCE was founded on 5 documented use cases as discussed in section 4
>>>>of the CCE overview paper [1].  In all 5 of the scenarios, the
>>>>correlation is done by humans, even the 4th use case in which
>>>>results
>
>>>>from multiple audit tools are integrated.
>>>
>>>This is an excellent point.  I can see a future, however, where more
>>>use cases are added, based on the inclusion of other processes.
>>>Consider a SIEM tool that detects five failed logon attempts over an
>>>hour's time followed by a good logon.  Traditionally, we would rely
>>>on
>
>>>a human to go figure out whether that incident is benign.  With
>>>configuration data, however, we could bolster that correlation to
>>>trigger only when particular configuration items are set in a
>>>particular way, if a configuration item subsequently changed, and so
>>>on.
>>>
>>>This is a problem not just limited to CCE, I think.  I'd also like to

>>>see things like: Tell me whether that user recently changed their
>>>password, because if they did, then the probability that this
>>>incident
>
>>>is benign just went up.
>>>
>>>>
>>>>2) If there is a clear and compelling need for machine processable
>>>>information regarding configuration controls that is not being met
>>>>by
>
>>>>other current efforts [2], the following questions should be worked
>>>>through:
>>>>+ What use cases should it support?
>>>
>>>This is probably the first question to answer, but I assert that to
>>>answer this question properly we need to identify the processes we
>>>would intend to support.  This is something that seems to be "common
>>>knowledge" in the community, but that is rarely called out
explicitly.
>>>
>>>>+ Who will create the content?
>>>>+ Who will be the guarantor of the quality of that content?
>>>>+ Should this be a government funded effort, "open source" or a
>>>>commercial venture?
>>>>
>>>>We're happy to have that discussion unfold here on this list, even
>>>>if
>
>>>>the end result isn't (and shouldn't be) a part of CCE.
>>>>
>>>
>>>>+ A content management and provisioning system capable of scaling to
>>>>this
>>>>scope
>>>>+ A formalized adoption program (similar to CVE's) that defines
>>>>+ industry
>>>>best practices for the inclusion of CCE ids into configuration
>>>>management tools and services.
>>>>+ More ubiquitous usage of CCE ids in configuration management tools

>>>>+ and
>>>>services.
>>>>
>>>>
>>>>Just to reiterate point 2)... Please feel free to continue the
>>>>discussion here.  It's an important issue and needs to be discussed.
>>>
>>>This is good.  I don't know if CCE is the right place for what we
>>>think we need at this point, but it's certainly related.
>>>
>>>>
>>>>
>>>>[1] -
>>>>http://cce.mitre.org/documents/Introduction_to_CCE_White_Paper_July_
>>>>2
>>>008.p
>>>>df
>>>>
>>>>[2] - If OVAL is sufficient to meet the use cases (unknowable till
>>>>the use cases are defined), we note that both NIST SCAP/FDCC and
>>>>MITRE's
>>>OVAL
>>>>Repository provide sets of machine processable checks.  The first is

>>>>funded by the US Government and the latter is more of an open source

>>>>effort (and traditionally, more focused on vulnerabilities than
>>>>configuration controls).
>>>>
>>>>-Dave
>>>>==================================================================
>>>>David Mann | Principal Infosec Scientist | The MITRE Corporation
>>>>------------------------------------------------------------------
>>>>[hidden email] | cell:<a href="tel:781.424.6003" value="+17814246003">781.424.6003
>>>>==================================================================
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: [hidden email]
>>>>>[mailto:[hidden email] [hidden email]] On Behalf Of

>>>>>[hidden email]
>>>>>Sent: Thursday, August 11, 2011 11:28 AM
>>>>>To: cce-working-group-list
>>>>>Subject: Capturing CCE Info
>>>>>
>>>>>This is a discussion occurring on the asset-dev working group that
>>>>>really needs to be addressed here.
>>>>>
>>>>>This effort has been one of maturing and evolving.  We struggled
>>>>>with the right level to assign CCEs and got past that hurdle.  We
>>>>>moved from v4 to v5
>>>>>to add the Luhn check digit.  Now we need to make it   usable for
>other
>>>>>efforts to really use it appropriately.
>>>>>
>>>>>Thoughts on making this useful from a programmatic perspective for
>>>>>other efforts to benefit from?
>>>>>
>>>>>Kent Landfield
>>>>>Director Content Strategy, Architecture and Standards
>>>>>
>>>>>McAfee, Inc.
>>>>>5000 Headquarters Dr.
>>>>>Plano, Texas 75024
>>>>>
>>>>>Direct: <a href="tel:%2B1.972.963.7096" value="+19729637096">+1.972.963.7096
>>>>>Mobile: <a href="tel:%2B1.817.637.8026" value="+18176378026">+1.817.637.8026
>>>>>Web: www.mcafee.com<http://www.mcafee.com/>
>>>>>
>>>>>From: Kent Landfield
>>>>><[hidden email]<mailto:[hidden email]>>
>>>>>Date: Thu, 11 Aug 2011 10:15:53 -0500
>>>>>To: "[hidden email]<mailto:[hidden email]>" <asset-
>>>>>[hidden email]<mailto:[hidden email]>>
>>>>>Subject: Re: Follow-up from Last Call about Capturing CCE Info
>>>>>(UNCLASSIFIED)
>>>>>
>>>>>This is something that has to be address in CCE.  I do not agree
>>>>>that it was intended to be a human-readable format for the long
>>>>>term. That is where is stands today because of inadequacies in how
>>>>>we deal with a CCE entry that need to be further specified, but for

>>>>>the sake of it's usability and viability, it needs to be machine
>>>>>readable.
>>>>>
>>>>>Kent Landfield
>>>>>Director Content Strategy, Architecture and Standards
>>>>>
>>>>>McAfee, Inc.
>>>>>5000 Headquarters Dr.
>>>>>Plano, Texas 75024
>>>>>
>>>>>Direct: <a href="tel:%2B1.972.963.7096" value="+19729637096">+1.972.963.7096
>>>>>Mobile: <a href="tel:%2B1.817.637.8026" value="+18176378026">+1.817.637.8026
>>>>>Web: www.mcafee.com<http://www.mcafee.com/>
>>>>>
>>>>>From: "Davidson II, Mark S"
>>>>><[hidden email]<mailto:[hidden email]>>
>>>>>Reply-To: "[hidden email]<mailto:[hidden email]>" <asset-
>>>>>[hidden email]<mailto:[hidden email]>>
>>>>>Date: Thu, 11 Aug 2011 09:52:00 -0500
>>>>>To: Multiple recipients of list <[hidden email]<mailto:[hidden email]
>>>>>[hidden email]>>
>>>>>Subject: RE: Follow-up from Last Call about Capturing CCE Info
>>>>>(UNCLASSIFIED)
>>>>>
>>>>>CCE is intended to be a human-readable format, not a machine
>>>>>readable format. For that reason, I think it will be difficult if
>>>>>not infeasible to discern CCE metadata in a programmatic way.
>>>>>
>>>>>Relevant snippet for context:
>>>>><asr:metadata>
>>>>><asrm:cce_metadata>
>>>>><asrm:param_state>disabled</asrm:param_state>
>>>>><asrm:param_setting param="roles">
>>>>><asrm:setting>admin</asrm:setting>
>>>>><asrm:setting>user</asrm:setting>
>>>>></asrm:param_setting>
>>>>></asrm:cce_metadata>
>>>>></asr:metadata>
>>>>>I think it will be difficult to fill the CCE
>>>>>param_state/param_setting for the following reasons:
>>>>>1) There is not a machine-readable mapping from CCE to CCE
>>>>>parameters
>>>>>2) There is not a machine-readable mapping from CCE parameters to
>>>>>actual values (IE, enabled=0, disabled=1, etc)
>>>>>3) There is not a machine-readable mapping from CCE to method for
>>>>>collecting the value (technical mechanism)
>>>>>
>>>>>I think if you had the data to communicate, this structure would
>>>>>accommodate that data effectively. I'm not sure how we will
>>>>>actually
>
>>>>>get the data to populate this structure.
>>>>>
>>>>>-Mark
>>>>>
>>>>>-----Original Message-----
>>>>>From: [hidden email]<mailto:[hidden email]> [mailto:[hidden email]
>>>>>[hidden email]] On Behalf Of WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>>>>>Sent: Thursday, August 11, 2011 10:21 AM
>>>>>To: Multiple recipients of list
>>>>>Subject: RE: Follow-up from Last Call about Capturing CCE Info
>>>>>(UNCLASSIFIED)
>>>>>
>>>>>Classification:  UNCLASSIFIED
>>>>>Caveats: NONE
>>>>>
>>>>>Classification:  UNCLASSIFIED
>>>>>Caveats: NONE
>>>>>
>>>>>I can't think of a better alternative.  Not sure how well we will
>>>>>be
>
>>>>>able to use this, but it appears to meet the need.  I'm worried
>>>>>about the lack of structure.  Can we specify schemas for the known
>>>>>types of metadata (the CCE, specifically)?  I'm also concerned that

>>>>>the CCE structure doesn't really help a tool automate the
>>>>>translation of checks into structured results.
>>>>>
>>>>>Looking at the schemas & documents themselves, I can't figure out
>>>>>why you've structured the documents the way you have.  If all
>>>>>idents
>
>>>>>in a report are in the same system, you should only have to specify

>>>>>the system once at the beginning, it doesn't make sense to
>>>>>re-specify the system for each result value set.  For results
>>>>>against a common ident, the results should be subordinate elements
>>>>>with relevant group-by attributes.
>>>>>
>>>>>Joseph L. Wolfkiel
>>>>>Engineering Group Lead
>>>>>DISA PEO MA/IA52
>>>>><a href="tel:%28301%29%20225-8820" value="+13012258820">(301) 225-8820
>>>>>[hidden email]<mailto:[hidden email]>
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: [hidden email]<mailto:[hidden email]> [mailto:[hidden email]
>>>>>[hidden email]] On Behalf Of Halbardier, Adam
>>>>>Sent: Monday, August 08, 2011 1:46 PM
>>>>>To: Multiple recipients of list
>>>>>Subject: Follow-up from Last Call about Capturing CCE Info
>>>>>
>>>>>All,
>>>>>
>>>>>
>>>>>On the last call we discussed the difficulty with reporting against

>>>>>CCEs separate from the XCCDF benchmark and profile that checked the

>>>>>CCE.  I took an action to look at CCE and try to come up with a
>>>>>mechanism that could possibly support such a case.  Attached is a
>>>>>possible solution.
>>>>>Basically,
>>>>>I added a "metadata" construct to the result element that can
>>>>>capture arbitrary metadata about the setting of an ident.  For
>>>>>simpler idents, we just capture the relevant information as
>>>>>parameters on the result (see the CPE example).  For the CCE
>>>>>example, we can use the metadata element to capture the CCE
>>>>>settings.  I attached an extension schema for the CCE metadata.
>>>>>Basically, a CCE has one or more parameters.  Scanning through the
>>>>>CCE spreadsheets, I think there are two categories of parameters.
>>>>>One
>>>>>category is what I'm calling "state" parameters.  Those are
>>>>>parameters that just have a value, without a name associated with
>>>>>the parameter (e.g., "enabled/disabled").  For the first !
>>>>>category, the name of the parameter is the setting.  The second
>>>>>category of parameters is a named parameter that has a value, or
>>>>>list of values, associated with it (e.g., user roles).  In this
>>>>>case, the parameter needs to be identified, along with the value or

>>>>>list of values for the instance of the CCE.  The second category I
>>>>>called "setting param".
>>>>>
>>>>>
>>>>>A CCE metadata construct can have one or more of each of the two
>>>>>types of parameters.  The parameters MUST be provided in the same
>>>>>order as documented in the CCE.  The one potential disconnect here
>>>>>is that the values for "setting params" isn't enumerated (and I
>>>>>don't think it can be), so that could lead to data disconnects, but

>>>>>it might be a limitation we just have to live with in the
near-term.
>
>>>>>Please provide thought/feedback on this approach, and if you think
>>>>>it will solve the current needs.
>>>>>
>>>>>
>>>>>-Adam
>>>>>
>>>>>Classification:  UNCLASSIFIED
>>>>>Caveats: NONE
>>>>>
>>>>>Classification:  UNCLASSIFIED
>>>>>Caveats: NONE
>>>>
>>>
>>
>