CEE Defcon Meetup Notes - 08 Aug 2008
|
|
Below are my notes from the CEE meeting at Defcon
a couple of weeks ago. All in all, things turned out fairly well. Though I apologize to anyone who wanted to participate but could not locate us. *************************** CEE Meeting Defcon - 08 Aug 2008 Riviera, Las Vegas, NV Attendees ========= - Eric Fitzgerald - Tina Bird - Raffy Marty - Sanford Whitehouse - Steve Christey - William Heinbockel Minutes ======= Group met at the Defcon Registration desk at the Riviera at Noon PST. Discussion lasted for approximately 2 hours. Definitions =========== Definitions discussion is good, though we are now debating symantic nuaces. MITRE needs to issue a final version and we can extend that with additional notes and descriptions. - event definition discussion - Machine-generated data - State change may not be good enough, due to problems with abstration levels the end state might be the same as the start state. Use activity occured instead. - We should include a definition for event stream. Generically, the log flow process seems to be: event -> event record -> event stream -> event log - A log is a general sequential or timestamped repository of records. - Logs also hold reports or "informational messages" - Fidelity: Logged events may not have actually occured, such as with an IDS signature match. - Look at Oer Kerr's paper on Machine Logs vs. Hearsay - Applications, Operations, and Admins partake in various log activities - Syntax - The syntax fields should be self-describing - Support: Binary vs. XML vs. string formats - Need to support proper ordering of records - The log order does not always match the event order - Needs to support granual timestamps - Synchronizing timestamps - Needs to support sequence numbers to properly order events - Pair-wise vs. Universal IDs Questions / Issues ================== - Can a record consist of 1 or more records? - How does CEE handle multi-line data? - Should logs be machine-readable or human-readable? - This choice depends on the environment and admins - machine-readable is more condensed and better for wire formats - machine-readable can be translated for humans - Who timestamps the records? The application? The event recorder? Outcomes ======== - CEE and LogAnalysis.org will partner up - MITRE will host the CEE drafts and specifications - LogAnalysis can host a wiki, log repositories, and everything else - More to come on this later... - MITRE will finish the CEE WG Charter - High level usecases for CFO, CIO/Operations, Developers - MITRE will produce a CEE Project outline - Deliverables - Schedule - We need to get more large players involved: Cisco, Oracle, Apple, IBM - We need more diversity in the WG: admins and enterprise users - Create a Vendor Questionaire - Technical issues with logs? - Customer issues with current logging? - How do you view SIM vendors continually asking for logs? - If logs were standardized, what potential damage or loss would you suffer? William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 [hidden email] 781-271-2615 |
||||||||
smime.p7s (4K)
|
|
||||||||
| Free Embeddable Forum Powered by Nabble | Help |
