I reached out to the NIST team for a quick status update from them on EMAP.
I have included Paul Cichonski's response below. The discussion that Paul
has forwarded is from the NIST run emap-wg list.
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]
From: [hidden email] [mailto:[hidden email]] On Behalf Of Cichonski, Paul
Sent: Tuesday, May 01, 2012 8:32 AM
To: cee-board-list CEE Board Member Discussion
Subject: FW: EMAP alive?
I've seen a few questions relating to the status of the NIST EMAP work so I
wanted to forward this recent thread from the EMAP WG list that gives a good
summary of where the NIST team is focusing (I think there is quite bit of
overlap on these lists so I apologize for the duplicates).
George will be sending out the draft taxonomy/field-level guidance
spreadsheet (outlined below) this week and we appreciate any feedback that
you can provide.
From: [hidden email] [[hidden email]] On Behalf Of Cichonski, Paul
Sent: Thursday, April 26, 2012 10:50 PM
Subject: RE: EMAP alive?
Kent summed it up pretty well.
The general consensus was to focus our energies on the adoption of CEE; and
then once that bottom layer of the stack is in place we could re-evaluate
the other efforts such as OEEL and CERE to see if they are still useful to
the community. Also, without that bottom layer in the stack provided by
common event expression it seems to be fairly hard to build things higher up
like standardized rules, which rely on some standardized event expression.
The NIST team (George Saylor is doing the bulk of this work) is focusing on
helping with the CEE adoption push and providing some log-centric guidance
that has been requested by those in the community. Right now we are focusing
on updating the NIST SP 800-92 Guide to Computer Security Log Management to
incorporate field-level guidance on what to log for specific types of audit
and OS events, as well as a high-level taxonomy organizing the types of
OS/audit events. We have that mostly complete and are going to begin
socializing it with those in the community next week (probably CEE list).
The plan is to then take that guidance and supplement it with the
CEE-specified way of expressing the guidance (hopefully using something like
CELR, but even just referencing the terms from the base profile would be a
step forward) and add it as an appendix to 800-92. We are hoping this will
kick-off some adoption of CEE, as well as providing the community with
something they have asked for (I.e., namely "what do I need to log?"). This
taxonomy and field-level guidance may also help to push the formalization of
the CEE base profile, which in my mind is a critical piece of the puzzle.
You should see something either tomorrow or next week containing the draft
taxonomy/field-level guidance. We appreciate all of the input the community
can provide in this area.
To put it mildly, I think it died during and after the EMAP Developer
Workshop. There were too many things being proposed that were not needed to
accomplish what the 'languages' were asking for. There was duplication of
efforts with the Open Group Distributed Audit Services (XDAS) and other
individual components did not appear well thought out.
It may have been that the effort was just too early and a few things needed
to mature first. That may have been the case. Regardless I don't think we
will see a lot of activity here for a while. Maybe after CEE 1.0 is
official we can revisit this but it did seem like the effort, as presented,
was more a solution looking for a problem.
Just my 2 cents.
Director Content Strategy, Architecture and Standards
McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024