CEE Defcon Meetup Notes - 08 Aug 2008

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CEE Defcon Meetup Notes - 08 Aug 2008

heinbockel
Below are my notes from the CEE meeting at Defcon
a couple of weeks ago.

All in all, things turned out fairly well. Though
I apologize to anyone who wanted to participate
but could not locate us.


***************************

CEE Meeting
Defcon - 08 Aug 2008
Riviera, Las Vegas, NV


        Attendees
        =========

- Eric Fitzgerald
- Tina Bird
- Raffy Marty
- Sanford Whitehouse
- Steve Christey
- William Heinbockel


        Minutes
        =======

Group met at the Defcon Registration desk at the Riviera at Noon PST.
Discussion lasted for approximately 2 hours.


                Definitions
                ===========

Definitions discussion is good, though we are now debating symantic
nuaces. MITRE needs to issue a final version and we can extend that
with additional notes and descriptions.

- event definition discussion
  - Machine-generated data
  - State change may not be good enough, due to problems with
    abstration levels the end state might be the same as the start
    state. Use activity occured instead.
- We should include a definition for event stream. Generically, the
  log flow process seems to be:

    event -> event record -> event stream -> event log

- A log is a general sequential or timestamped repository of
  records.
- Logs also hold reports or "informational messages"
- Fidelity: Logged events may not have actually occured, such as
  with an IDS signature match.
- Look at Oer Kerr's paper on Machine Logs vs. Hearsay
- Applications, Operations, and Admins partake in various log
  activities
- Syntax
  - The syntax fields should be self-describing
  - Support: Binary vs. XML vs. string formats
  - Need to support proper ordering of records
    - The log order does not always match the event order
  - Needs to support granual timestamps
    - Synchronizing timestamps
  - Needs to support sequence numbers to properly order events
    - Pair-wise vs. Universal IDs


                Questions / Issues
                ==================

- Can a record consist of 1 or more records?
- How does CEE handle multi-line data?
- Should logs be machine-readable or human-readable?
  - This choice depends on the environment and admins
  - machine-readable is more condensed and better for wire formats
  - machine-readable can be translated for humans
- Who timestamps the records? The application? The event recorder?


                Outcomes
                ========

- CEE and LogAnalysis.org will partner up
  - MITRE will host the CEE drafts and specifications
  - LogAnalysis can host a wiki, log repositories, and everything else
  - More to come on this later...
- MITRE will finish the CEE WG Charter
  - High level usecases for CFO, CIO/Operations, Developers
- MITRE will produce a CEE Project outline
  - Deliverables
  - Schedule
- We need to get more large players involved: Cisco, Oracle, Apple,
IBM
- We need more diversity in the WG: admins and enterprise users
- Create a Vendor Questionaire
  - Technical issues with logs?
  - Customer issues with current logging?
  - How do you view SIM vendors continually asking for logs?
  - If logs were standardized, what potential damage or loss would you
    suffer?



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CEE Defcon Meetup Notes - 08 Aug 2008

Tina Bird
Boy oh boy am I cleaning out my Inbox.

Quoting "Heinbockel, Bill" <[hidden email]>:

> - Look at Oer Kerr's paper on Machine Logs vs. Hearsay

For interested parties, here's a list of relevant URLs on the use of  
computer generated data in legal proceedings (U.S. based), starting  
with Professor Orin Kerr's original paper for the Department of  
Justice:]

Computer Records and the Federal Rules of Evidence (March 2001)
http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm

A summary of case law and related issues written by Erin Kenneally,  
lawyer and forensic analyst at the San Diego Supercomputer Center  
(December 2002):
http://lists.jammed.com/loganalysis/2002/12/0115.html

MySpace on the Record: the Admissability of Social Website Content  
under the Federal Rules of Evidence (December 2006):
http://firstmonday.org/article/view/1419/1337

These are the result of an extremely quick swing through Google; there  
are probably more recent results as well, but at least this is a  
reasonable set of places to start.

cheers -- tbird