Quantcast

CDET Status and Any Vendors create a profile yet?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CDET Status and Any Vendors create a profile yet?

STOECKP

What is the progress on the dictionary and the categorization taxonomy for CEE?  Has it been flushed out at all or is it still at the same stage as indicated in the profile specification?  Also, has any vendor created a profile yet?

 

 

Thanks,

 

Paul

 

 

Paul W. Stoecker, Ph.D.

Principal Software Engineer

RSA, The Security Division of EMC

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CDET Status and Any Vendors create a profile yet?

heinbockel
Paul,

We are still working through flushing out the details of the taxonomy and
dictionary for CEE. Right now, things are fairly stable and we working with
several vendors to determine the best approach to align their different
needs and approaches in some areas.

For example, should the "source ipv4 address" a field, or should it be
"source ip address", or just "source address" and then set the type to ipv4,
ipv6, hostname, etc. Each approach has its benefits and drawbacks.

We will be publishing an updated CEE Base Profile with the revised
taxonomy/dictionary terms in the next couple of weeks.

I am also working with several vendors and user communities to develop their
own profiles and am capturing the lessons learned.
Unfortunately, I am unable to share the specifics of these details as I do
not have the permission of the parties.

William Heinbockel
The MITRE Corporation

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Thursday, 08 December, 2011 17:16
>To: cee-discussion-list CEE-Related Discussion
>Subject: CDET Status and Any Vendors create a profile yet?
>
>What is the progress on the dictionary and the categorization taxonomy for
>CEE?  Has it been flushed out at all or is it still at the same stage as
>indicated in the profile specification?  Also, has any vendor created a
>profile yet?
>
>
>
>
>
>Thanks,
>
>
>
>Paul
>
>
>
>
>
>Paul W. Stoecker, Ph.D.
>
>Principal Software Engineer
>
>Analytics - Security Management Content & Solutions
>
>RSA, The Security Division of EMC
>o: 508.599.2743 | c: 302.379.3375 | e:
>[hidden email]<mailto:[hidden email]>
>
>

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CDET Status and Any Vendors create a profile yet?

Burnes, James - NRCS, Fort Collins, CO
That's a very good example.  I was wondering the same thing while I was writing the Python CEE test script.  I think it would be more important from a well-known name standpoint that it be simply known as "source ip address" and set a type on it.  That way everyone is looking for the information in the same place.  Parsing the field could then be done adaptively, eg: (source_ipv4) | (source_ipv6).   I can't think of a situation where you would need separate addresses at the same time.  If so, perhaps you could treat it as a multi-valued field.

Good luck,

Jim Burnes
Application Security Engineer
USDA/NRCS/ITC/Fort Collins



-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Monday, December 12, 2011 8:21 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] CDET Status and Any Vendors create a profile yet?

Paul,

We are still working through flushing out the details of the taxonomy and
dictionary for CEE. Right now, things are fairly stable and we working with
several vendors to determine the best approach to align their different
needs and approaches in some areas.

For example, should the "source ipv4 address" a field, or should it be
"source ip address", or just "source address" and then set the type to ipv4,
ipv6, hostname, etc. Each approach has its benefits and drawbacks.

We will be publishing an updated CEE Base Profile with the revised
taxonomy/dictionary terms in the next couple of weeks.

I am also working with several vendors and user communities to develop their
own profiles and am capturing the lessons learned.
Unfortunately, I am unable to share the specifics of these details as I do
not have the permission of the parties.

William Heinbockel
The MITRE Corporation

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Thursday, 08 December, 2011 17:16
>To: cee-discussion-list CEE-Related Discussion
>Subject: CDET Status and Any Vendors create a profile yet?
>
>What is the progress on the dictionary and the categorization taxonomy for
>CEE?  Has it been flushed out at all or is it still at the same stage as
>indicated in the profile specification?  Also, has any vendor created a
>profile yet?
>
>
>
>
>
>Thanks,
>
>
>
>Paul
>
>
>
>
>
>Paul W. Stoecker, Ph.D.
>
>Principal Software Engineer
>
>Analytics - Security Management Content & Solutions
>
>RSA, The Security Division of EMC
>o: 508.599.2743 | c: 302.379.3375 | e:
>[hidden email]<mailto:[hidden email]>
>
>
Loading...