CEE Terminology and Whitepaper

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CEE Terminology and Whitepaper

heinbockel
Sorry for the lapse in response from MITRE, we've been getting
some FY07 things closed out and securing some funding for CEE.


Now, I've spent some time catching up on the flurry of discussion
on this list and it is apparent that there is some confusion as
to the terminology. I believe that this is a huge issue, not only
for CEE, but for logs and standards as well. We have done a really
good job at overloading our log terminology.

The first major issue we would like to tackle is to bring everyone
on this list into agreement as far as log-related vocabulary. The
major thing we are trying to accomplish with CEE is to decouple all
of these various log "pieces" in order to provide flexibility while
allowing us to work on each portion individually.

On that note, over the past months we have been working with
Raffy Marty and Anton Chuvakin to create a whitepaper to introduce
the concepts and terminology in CEE. As a starting point, I offer
the current draft version to this discussion group for your review.


To wrap up the loose ends:
* Yes, we will have a website. We had one put together a couple of
  months ago, however due to some administrative snafu, it was
  lost and we are still awaiting approval for public releasability.

* Archives of the CEE mailing lists will be made available on the
  website in the near future.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

cee_whitepaper.doc (733K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CEE Terminology and Whitepaper

David Corlette
Hello Bill,

Glad to hear progress is being made, and I applaud your efforts. One thing stood out in my brief review of this whitepaper, however; no mention was made of XDAS, put forth by the Open Group.  I find this extremely strange, given that:

a) XDAS was developed specifically to handle several elements that CEE is hoping to cover, specifically "log syntax" and "event taxonomy", and even by inference recommendations about what sorts of events should be logged. This effort was originally supported by many in the industry and is undergoing an update as we speak.

b) Those of us working on the XDAS standard have made several proactive efforts to reach out to MITRE and the CEE group, in hopes that we can coordinate efforts.

c) The whitepaper you present has a special section listing prior efforts in this space, so presumably would purport to be a researched, comprehensive document.

The upshot being, to ignore XDAS risks the credibility of this effort and condemns you to repeating much work that has already been done. XDAS itself, of course, drew upon prior work from many projects.

Now, it may be that there are irreconcilable differences between the aims of XDAS and CEE, but personally I fail to see why these efforts cannot be coordinated. As you may know, Raffy Marty has on at least one occasion been highly critical of XDAS, although if you have additionally read the response from the XDAS team you may also know that his original reading of the standard seems to have been superficial at best. Our current work seeks to update the standard in light of new industry trends - and of course we will extract what was useful from Raffy's commentary - but fundamentally we believe we have a reasonable approach in spite of some of his unfounded comments.

It is my hope here that cooler heads will prevail and that we will be able to move forward, adopting the best of the work that has come before. My initial recommendation would be for the CEE group to read through the XDAS standard, pose any questions about the whys and wherefores that need to be answered, and suggest any reason, positive or negative, why this existing standard could not become the taxonomy and format portion of CEE. If the changes are relatively minor, then perhaps we can modify XDAS to suit the needs of CEE as part of our ongoing review. If there are major philosophical differences, then perhaps the two groups will diverge. But to ignore the previous work that has been done seems to be counter-productive at best; ideally the group can move on to more weighty issues like what developers should be doing when they are writing event-generation code.

A good place to start with XDAS is at the OpenXDAS site; this is an open implementation of XDAS developed by Novell, but it also links back to the Open Group's original XDAS documentation. Additionally we have already come up with a set of proposed changes to extend and enhance the standard, but for now perhaps discussion should center around the existing standard. Note however that we are already aware that the document needs some clarification, so we do expect some back-and-forth about the intent of certain features.

I look forward to working with the group, and welcome feedback about XDAS and other standards as well.  Thank you.

>>> On Mon, Oct 8, 2007 at 10:40 AM, in message
<[hidden email]>, "Heinbockel,
Bill" <[hidden email]> wrote:

> Sorry for the lapse in response from MITRE, we've been getting
> some FY07 things closed out and securing some funding for CEE.
>
>
> Now, I've spent some time catching up on the flurry of discussion
> on this list and it is apparent that there is some confusion as
> to the terminology. I believe that this is a huge issue, not only
> for CEE, but for logs and standards as well. We have done a really
> good job at overloading our log terminology.
>
> The first major issue we would like to tackle is to bring everyone
> on this list into agreement as far as log-related vocabulary. The
> major thing we are trying to accomplish with CEE is to decouple all
> of these various log "pieces" in order to provide flexibility while
> allowing us to work on each portion individually.
>
> On that note, over the past months we have been working with
> Raffy Marty and Anton Chuvakin to create a whitepaper to introduce
> the concepts and terminology in CEE. As a starting point, I offer
> the current draft version to this discussion group for your review.
>
>
> To wrap up the loose ends:
> * Yes, we will have a website. We had one put together a couple of
>   months ago, however due to some administrative snafu, it was
>   lost and we are still awaiting approval for public releasability.
>
> * Archives of the CEE mailing lists will be made available on the
>   website in the near future.
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615

Reply | Threaded
Open this post in threaded view
|

Re: CEE Terminology and Whitepaper

heinbockel
In reply to this post by heinbockel
Thanks for the pointer.

This paper had been in the works for a while, before I was
familiar with the XDAS work. This was an oversight on my part
and it will be added to a future version of the draft.

However there may be a problem in differentiating the previous
XDAS spec from the current, Novell-infused XDAS work -- as last
I heard there was talk of revamping the (entire?) XDAS spec.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: David Corlette [mailto:[hidden email]]
>Sent: Monday, 08 October, 2007 11:39
>To: cee-discussion-list CEE-Related Discussion; Heinbockel, Bill
>Cc: John Calcote; Ian Dobson
>Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
>
>Hello Bill,
>
>Glad to hear progress is being made, and I applaud your
>efforts. One thing stood out in my brief review of this
>whitepaper, however; no mention was made of XDAS, put forth by
>the Open Group.  I find this extremely strange, given that:
>
>a) XDAS was developed specifically to handle several elements
>that CEE is hoping to cover, specifically "log syntax" and
>"event taxonomy", and even by inference recommendations about
>what sorts of events should be logged. This effort was
>originally supported by many in the industry and is undergoing
>an update as we speak.
>
>b) Those of us working on the XDAS standard have made several
>proactive efforts to reach out to MITRE and the CEE group, in
>hopes that we can coordinate efforts.
>
>c) The whitepaper you present has a special section listing
>prior efforts in this space, so presumably would purport to be
>a researched, comprehensive document.
>
>The upshot being, to ignore XDAS risks the credibility of this
>effort and condemns you to repeating much work that has
>already been done. XDAS itself, of course, drew upon prior
>work from many projects.
>
>Now, it may be that there are irreconcilable differences
>between the aims of XDAS and CEE, but personally I fail to see
>why these efforts cannot be coordinated. As you may know,
>Raffy Marty has on at least one occasion been highly critical
>of XDAS, although if you have additionally read the response
>from the XDAS team you may also know that his original reading
>of the standard seems to have been superficial at best. Our
>current work seeks to update the standard in light of new
>industry trends - and of course we will extract what was
>useful from Raffy's commentary - but fundamentally we believe
>we have a reasonable approach in spite of some of his
>unfounded comments.
>
>It is my hope here that cooler heads will prevail and that we
>will be able to move forward, adopting the best of the work
>that has come before. My initial recommendation would be for
>the CEE group to read through the XDAS standard, pose any
>questions about the whys and wherefores that need to be
>answered, and suggest any reason, positive or negative, why
>this existing standard could not become the taxonomy and
>format portion of CEE. If the changes are relatively minor,
>then perhaps we can modify XDAS to suit the needs of CEE as
>part of our ongoing review. If there are major philosophical
>differences, then perhaps the two groups will diverge. But to
>ignore the previous work that has been done seems to be
>counter-productive at best; ideally the group can move on to
>more weighty issues like what developers should be doing when
>they are writing event-generation code.
>
>A good place to start with XDAS is at the OpenXDAS site; this
>is an open implementation of XDAS developed by Novell, but it
>also links back to the Open Group's original XDAS
>documentation. Additionally we have already come up with a set
>of proposed changes to extend and enhance the standard, but
>for now perhaps discussion should center around the existing
>standard. Note however that we are already aware that the
>document needs some clarification, so we do expect some
>back-and-forth about the intent of certain features.
>
>I look forward to working with the group, and welcome feedback
>about XDAS and other standards as well.  Thank you.
>
>>>> On Mon, Oct 8, 2007 at 10:40 AM, in message
><[hidden email]>,
>"Heinbockel,
>Bill" <[hidden email]> wrote:
>> Sorry for the lapse in response from MITRE, we've been getting
>> some FY07 things closed out and securing some funding for CEE.
>>
>>
>> Now, I've spent some time catching up on the flurry of discussion
>> on this list and it is apparent that there is some confusion as
>> to the terminology. I believe that this is a huge issue, not only
>> for CEE, but for logs and standards as well. We have done a really
>> good job at overloading our log terminology.
>>
>> The first major issue we would like to tackle is to bring everyone
>> on this list into agreement as far as log-related vocabulary. The
>> major thing we are trying to accomplish with CEE is to decouple all
>> of these various log "pieces" in order to provide flexibility while
>> allowing us to work on each portion individually.
>>
>> On that note, over the past months we have been working with
>> Raffy Marty and Anton Chuvakin to create a whitepaper to introduce
>> the concepts and terminology in CEE. As a starting point, I offer
>> the current draft version to this discussion group for your review.
>>
>>
>> To wrap up the loose ends:
>> * Yes, we will have a website. We had one put together a couple of
>>   months ago, however due to some administrative snafu, it was
>>   lost and we are still awaiting approval for public releasability.
>>
>> * Archives of the CEE mailing lists will be made available on the
>>   website in the near future.
>>
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> [hidden email]
>> 781-271-2615
>
>

Reply | Threaded
Open this post in threaded view
|

Re: CEE Terminology and Whitepaper

Eric Fitzgerald
In reply to this post by heinbockel
NB The XDAS spec on the Open Group web site is still marked as "preliminary".  Where is the most up-to-date copy?

Eric

-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Monday, October 08, 2007 9:41 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper

Thanks for the pointer.

This paper had been in the works for a while, before I was
familiar with the XDAS work. This was an oversight on my part
and it will be added to a future version of the draft.

However there may be a problem in differentiating the previous
XDAS spec from the current, Novell-infused XDAS work -- as last
I heard there was talk of revamping the (entire?) XDAS spec.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: David Corlette [mailto:[hidden email]]
>Sent: Monday, 08 October, 2007 11:39
>To: cee-discussion-list CEE-Related Discussion; Heinbockel, Bill
>Cc: John Calcote; Ian Dobson
>Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
>
>Hello Bill,
>
>Glad to hear progress is being made, and I applaud your
>efforts. One thing stood out in my brief review of this
>whitepaper, however; no mention was made of XDAS, put forth by
>the Open Group.  I find this extremely strange, given that:
>
snip

Reply | Threaded
Open this post in threaded view
|

Re: CEE Terminology and Whitepaper

John Calcote
In reply to this post by heinbockel
The XDAS spec is still in preliminary status - it always has been ever since 1998 when it was first written. The main reason for this is that XDAS never met the minimum requirements for Open Group standardization - eg., multiple implementations for interop testing.

Thus, version .9 is in fact the latest version.

John

>>> On Mon, Oct 8, 2007 at 12:46 PM, in message
<[hidden email]
v.microsoft.com>, Eric Fitzgerald <[hidden email]> wrote:

> NB The XDAS spec on the Open Group web site is still marked as "preliminary".
>  Where is the most up-to-date copy?
>
> Eric
>
> -----Original Message-----
> From: Heinbockel, Bill [mailto:[hidden email]]
> Sent: Monday, October 08, 2007 9:41 AM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
>
> Thanks for the pointer.
>
> This paper had been in the works for a while, before I was
> familiar with the XDAS work. This was an oversight on my part
> and it will be added to a future version of the draft.
>
> However there may be a problem in differentiating the previous
> XDAS spec from the current, Novell-infused XDAS work -- as last
> I heard there was talk of revamping the (entire?) XDAS spec.
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615
>
>>-----Original Message-----
>>From: David Corlette [mailto:[hidden email]]
>>Sent: Monday, 08 October, 2007 11:39
>>To: cee-discussion-list CEE-Related Discussion; Heinbockel, Bill
>>Cc: John Calcote; Ian Dobson
>>Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
>>
>>Hello Bill,
>>
>>Glad to hear progress is being made, and I applaud your
>>efforts. One thing stood out in my brief review of this
>>whitepaper, however; no mention was made of XDAS, put forth by
>>the Open Group.  I find this extremely strange, given that:
>>
> snip

Reply | Threaded
Open this post in threaded view
|

Re: CEE Terminology and Whitepaper

Ian Dobson-2
In reply to this post by heinbockel
I wish to endorse John's explanation of The Open Group's use of
"Preliminary Specification" and "Technical Standard" - our Technical
Standards identify our specifications which are proved by multiple
implementations to be interoperable. I would like to add that since
1998 there probably are multiple implementations - we may count
OpenXDAS among these - but our members have focused on other
priorities since then so have not done the work to move XDAS to
Technical Standard status.

Now in 2007, we recognize that IT Audit is back as a hot topic, and
XDAS needs extending and updating to cover today's business needs.
Putting this into context, Novell's John Calcote and David Corlette
are leading contributors to this update and are joined in doing it by
14 other representatives from 9 other Open Group Security Forum
member organizations.

XDAS 1998 is freely available for download from
http://www.opengroup.org/bookstore/catalog/p441.htm

Regards,
Ian.

At 22:09 08/10/2007, John Calcote wrote:
>The XDAS spec is still in preliminary status - it always has been
>ever since 1998 when it was first written. The main reason for this
>is that XDAS never met the minimum requirements for Open Group
>standardization - eg., multiple implementations for interop testing.

> >>> On Mon, Oct 8, 2007 at 12:46 PM, in message
><[hidden email]
>v.microsoft.com>, Eric Fitzgerald <[hidden email]> wrote:
> > NB The XDAS spec on the Open Group web site is still marked as
> "preliminary".
> >  Where is the most up-to-date copy?

 > -----Original Message-----

> > From: Heinbockel, Bill [mailto:[hidden email]]
> > Sent: Monday, October 08, 2007 9:41 AM
> > To: [hidden email]
> > Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
> >
> > Thanks for the pointer.
> >
> > This paper had been in the works for a while, before I was
> > familiar with the XDAS work. This was an oversight on my part
> > and it will be added to a future version of the draft.
> >
> > However there may be a problem in differentiating the previous
> > XDAS spec from the current, Novell-infused XDAS work -- as last
> > I heard there was talk of revamping the (entire?) XDAS spec.
> >
> > William Heinbockel
> > Infosec Engineer, Sr.
> > The MITRE Corporation
> > 202 Burlington Rd. MS S145
> > Bedford, MA 01730
> > [hidden email]
> > 781-271-2615
> >
> >>-----Original Message-----
> >>From: David Corlette [mailto:[hidden email]]
> >>Sent: Monday, 08 October, 2007 11:39
> >>To: cee-discussion-list CEE-Related Discussion; Heinbockel, Bill
> >>Cc: John Calcote; Ian Dobson
> >>Subject: Re: [CEE-DISCUSSION-LIST] CEE Terminology and Whitepaper
> >>
> >>Hello Bill,
> >>
> >>Glad to hear progress is being made, and I applaud your
> >>efforts. One thing stood out in my brief review of this
> >>whitepaper, however; no mention was made of XDAS, put forth by
> >>the Open Group.  I find this extremely strange, given that:
> >>
> > snip

***********************************************************
16th Enterprise Architecture Practitioners Conference
Secure Architectures, October 22-26, 2007
Corinthia Grand Hotel Royal, Budapest, Hungary.
http://www.opengroup.org/budapest2007/
***********************************************************
T H E        Ian D Dobson
O P E N      Director - Jericho Forum
G R O U P             - Security Forum
                       - Identity Management Forum
Thames Tower, Station Road, Reading RG1 1LX, UK
Mailto:[hidden email]
Phone: +44 (0)118 902 3041 (office)
        +44 (0)191 236 4102 (home)
        +44 (0)7764 905748 (cell)
Skype: id.dobson
WWW:   http://www.opengroup.org
TOGAF is a trademark of The Open Group
***********************************************************