Meeting Minutes from April 4 Telecon (Finally!)

Sorry for the delay in getting these out.
I've had them written for awhile but haven't had
the time until today to actually type them up.

Without further adieu...



CEE Telecon Minutes
4 April 2008, 2:00PM ET

Attendees:
Bruce, NSA
Chris Riley, VOLPE
Karen Scarfone, NIST
Dave Corlette, Novell
Dan Sanders, Novell
Anton Chuvakin, LogLogic
Raffy Marty, Splunk
Gabriel Coelho-Kostonly, ArcSight
Salo Fajer, NitroSec
Dan Blume, BurtonGroup
Erik Mintz, BigFix
Eric Fitzgerald, Microsoft


**************************************************
*********

Topics:

1. Introductions
2. Why CEE? - the history and MITRE involvement

CEE was started based on encouragement from the
security
industry. Various vendors and organizations
approached
MITRE asking if we were investigating producing a
log
standard. Also during this time, a MITRE-research
project
for the Air Force required us to start parsing and
interpreting log data. After exploring the past
log
standards (e.g., IDMEF, CIDF, SDEE) and
discussions with
the CVE and OVAL people here at MITRE, we decided
that it
was worth a shot to start investigating. The
initial talks
started back in 2006, and CEE first came to light
in early
2007 with the help of Anton Chuvakin and Raffy
Marty.

--------------------------------------------------
----------

3. "Get, Parse, and Understand" the CEE components

Early on, it was realized that any log "standard"
would
have to encompass several sub-standards. The big
hurdle
would be the log taxonomy - what are these "log
events"
and how should they be recorded. The next
challenge is
ensuring that the event details are consistently
recorded
and that all of the critical details are included.
These
syntax components are necessarily tied to the
representation medium; Syslog, xml, binary, and
others
utilize different data representations.
Additionally,
there needs to be agreement as to how these event
logs
will be exchanged in the transport. Finally, it
would be
beneficial for the entire community if the
existing log
standards and policies were correlated, and future
recommendations should be made to enhance the
overall
usefulness of logs, for vendors and organizations.

Based on these realizations, we propose that CEE
consist
of 4 parts: taxonomy, syntax, transport, and log
recommendations. (Further information is on the
CEE
website.)

--------------------------------------------------
----------

4. The CEE website and current CEE work

It has been some months since the CEE website was
last
updated. We are currently in the process of
updating it
and waiting for release approval. An updated site
with
mailing list registration, archives, and
whitepaper
details should be available shortly. The
whitepaper will
be released in the next week or two.

Unfortunately, MITRE is required to go through the
government release process for all CEE documents.
This
process is slow and we have no control over the
timeline.
Some documents are granted release in a week, some
take
more than a month.

--------------------------------------------------
----------

5. Developing CEE - forming the CEE working group

Right now there is a lot of interest and
expectations
surrounding CEE. Organizations representing
various
governments and private interests are expressing
interest
in a log standard. MITRE believes that this is the
right
time to open up CEE to a wider working group and
encourage
those people with interests in this space to help
create
the CEE standard.

--------------------------------------------------
----------

6. Guidance - where do we go from here?

The first step is to get the interested parties on
the
same page: standardize the terminology, agree to
the
supporting use cases and scoping. From there, we
can begin
to delve into the technical details.

Additionally, we are exploring merging the XDAS
work being
done by OpenGroup, and CEE. As we both have
similar goals,
we feel it is better to have one standard to
support all
use cases rather than 2 competing standards.

--------------------------------------------------
----------

7. CEE BOF at the RSA Conference

There was a face to face meeting on 9 April at
3:00pm PT
at the RSA Conference in San Francisco. The
minutes from
this meeting will follow.

--------------------------------------------------
----------

8. Open Forum for questions, comments, and
suggestions

What is the relation between CEE and XDAS? Should
we have
2 standards or one? - Agreement that we should
merge the
efforts. The first steps need to be to correlate
the XDAS
v2 specification with the CEE whitepaper. We need
to come
to an overall agreement on pieces, terminology,
scope, etc.

Participation in the CEE Working Group is
completely
voluntary, though you need to be willing to put
time in to
doing work. Eventually, the working group may be
transformed into an editorial board that provides
guidance.

Suggestion: Start with a list of supported CEE
events and
then drill down into the required details/syntax
for each.

Suggestion: Taxonomy Framework: Support a CEE
"Base Event"
and have everything extend from there.




William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel@...
781-271-2615