CEE will be the most valuable to the community if we take a
top-down approach. This means that we start with a couple
high-level use case drivers, such as regulatory compliance
requirements as well as other log guidance, and determine
what log types and data are necessary to meet those needs.
CEE should aim to be a lightweight standard. However, it
needs to be flexible/extensible enough to support larger,
more complex uses.
At minimum, CEE should require a timestamp and some sort of
The standard log data should be self describing, possibly in
the form of name-value pairs. The next version of Syslog
(currently in draft version in IETF) can probably support
this within structured data blocks.
MITRE has briefed CEE to both NATO and the US Dept. of
Defense. Both organizations are interested in standardizing
their computer security infrastructures and have expressed
much interest in CEE.
Additionally, CEE will be being briefed at the MILCOM 2008
Conference in San Diego in November.
MITRE has been approached by several vendors interested in
supporting/implementing CEE in their products.
1. MITRE will look at some of the high level PCI, SOX, FISMA
and other log drivers, and will drive the Use Case WG
2. MITRE will also suggest a couple of diverse use cases to
start driving CEE implementations. These use cases will
probably be to (1) support regulatory needs and (2) support
one of our sponsors' needs for IA/CND log standards.
3. Raffy will post an updated version of his working Data
Also, we discussed possible occasions for face-to-face
meet-ups. The following events were suggested:
- SchmooCon, D.C., 6-8 Feb
- SourceBoston, Boston, 9-13 March
- RSA, San Francisco, 20-24 April
Sheldon A. Durrant
The MITRE Corporation
202 Burlington Road
Bedford, MA 01730