Here are my notes from the April 9th face to face
meeting at RSA. Most of the discussion centered on
the XDAS-CEE relationship/overlap, but some other
good discussions were had.
CEE Meeting Minutes
RSA Conference 2008, San Francisco
9 April 2008, 3:00PM PT
Gabriel Coelho-Kostonly, ArcSight
Anton Chuvakin, LogLogic
Raffy Marty, Splunk
Ian Dobson, OpenGroup
Bob Blakely, Burton Group
Eric Fitzgerald, Microsoft
John McReynolds, RSA
Jon Baker/Drew Buttner, MITRE
1. Coordinating CEE and XDAS
XDAS is coordinated by OpenGroup, with the
support of Novell
Similar goals, need to come to agreement on how
best to merge
2. Burton Group - analyst, industry rep.
MITRE is independent: govt. and industry
Both have standards experience
3. CEE: Is it 1 standard or 4?
4. Taxonomy is the most important, highest impact
So is logging recommendations
5. Need lead/editor for each section (maybe per
Need documentation -- it is hard to
organize without much
written guidance. Should concentrate on
flushing out use
cases, scope, and higher level topics
first. We can leave
the technical stuff for later.
6. Field list is easier, but still not without
source vs. src_ip vs. ipv4/ipv6, not every
network is IP...
7. Common Event Standard SIG happening at the
Catalyst conference on 24 June in San Diego. XDAS
CEE will be highlighted. Need to determine agenda
1. Send out Whitepaper [draft] to RSA group
2. Start documenting CEE Use Cases and scope
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email] 781-271-2615