Meeting Minutes from April 4 Telecon (Finally!)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Meeting Minutes from April 4 Telecon (Finally!)

Sorry for the delay in getting these out.
I've had them written for awhile but haven't had
the time until today to actually type them up.

Without further adieu...

CEE Telecon Minutes
4 April 2008, 2:00PM ET

Bruce, NSA
Chris Riley, VOLPE
Karen Scarfone, NIST
Dave Corlette, Novell
Dan Sanders, Novell
Anton Chuvakin, LogLogic
Raffy Marty, Splunk
Gabriel Coelho-Kostonly, ArcSight
Salo Fajer, NitroSec
Dan Blume, BurtonGroup
Erik Mintz, BigFix
Eric Fitzgerald, Microsoft



1. Introductions
2. Why CEE? - the history and MITRE involvement

CEE was started based on encouragement from the
industry. Various vendors and organizations
MITRE asking if we were investigating producing a
standard. Also during this time, a MITRE-research
for the Air Force required us to start parsing and
interpreting log data. After exploring the past
standards (e.g., IDMEF, CIDF, SDEE) and
discussions with
the CVE and OVAL people here at MITRE, we decided
that it
was worth a shot to start investigating. The
initial talks
started back in 2006, and CEE first came to light
in early
2007 with the help of Anton Chuvakin and Raffy


3. "Get, Parse, and Understand" the CEE components

Early on, it was realized that any log "standard"
have to encompass several sub-standards. The big
would be the log taxonomy - what are these "log
and how should they be recorded. The next
challenge is
ensuring that the event details are consistently
and that all of the critical details are included.
syntax components are necessarily tied to the
representation medium; Syslog, xml, binary, and
utilize different data representations.
there needs to be agreement as to how these event
will be exchanged in the transport. Finally, it
would be
beneficial for the entire community if the
existing log
standards and policies were correlated, and future
recommendations should be made to enhance the
usefulness of logs, for vendors and organizations.

Based on these realizations, we propose that CEE
of 4 parts: taxonomy, syntax, transport, and log
recommendations. (Further information is on the


4. The CEE website and current CEE work

It has been some months since the CEE website was
updated. We are currently in the process of
updating it
and waiting for release approval. An updated site
mailing list registration, archives, and
details should be available shortly. The
whitepaper will
be released in the next week or two.

Unfortunately, MITRE is required to go through the
government release process for all CEE documents.
process is slow and we have no control over the
Some documents are granted release in a week, some
more than a month.


5. Developing CEE - forming the CEE working group

Right now there is a lot of interest and
surrounding CEE. Organizations representing
governments and private interests are expressing
in a log standard. MITRE believes that this is the
time to open up CEE to a wider working group and
those people with interests in this space to help
the CEE standard.


6. Guidance - where do we go from here?

The first step is to get the interested parties on
same page: standardize the terminology, agree to
supporting use cases and scoping. From there, we
can begin
to delve into the technical details.

Additionally, we are exploring merging the XDAS
work being
done by OpenGroup, and CEE. As we both have
similar goals,
we feel it is better to have one standard to
support all
use cases rather than 2 competing standards.


7. CEE BOF at the RSA Conference

There was a face to face meeting on 9 April at
3:00pm PT
at the RSA Conference in San Francisco. The
minutes from
this meeting will follow.


8. Open Forum for questions, comments, and

What is the relation between CEE and XDAS? Should
we have
2 standards or one? - Agreement that we should
merge the
efforts. The first steps need to be to correlate
the XDAS
v2 specification with the CEE whitepaper. We need
to come
to an overall agreement on pieces, terminology,
scope, etc.

Participation in the CEE Working Group is
voluntary, though you need to be willing to put
time in to
doing work. Eventually, the working group may be
transformed into an editorial board that provides

Suggestion: Start with a list of supported CEE
events and
then drill down into the required details/syntax
for each.

Suggestion: Taxonomy Framework: Support a CEE
"Base Event"
and have everything extend from there.

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]

smime.p7s (4K) Download Attachment