Security and Risk Management Strategies Blog

Blogger: Dan Blum

As I wrote in an earlier post about our Catalyst SIG, Burton Group is working with vendors and end user organizations in the industry to promote common event and log standards. Last week, progress continued as a Common Event Expression (CEE) conference call convened by Mitre brought what may be important clarification on the scope of the effort. Also, participants from Open Group’s XDAS group (including our own Bob Blakley) were added to the CEE editorial board, and an important IETF effort to enhance Syslog came to light.

After the conference call, Mitre summarized the scope discussion as follows:

“CEE will be the most valuable to the community if we take a top-down approach. This means that we start with a couple high-level use case drivers, such as regulatory compliance requirements as well as other log guidance, and determine what log types and data are necessary to meet those needs.

CEE should aim to be a lightweight standard. However, it needs to be flexible/extensible enough to support larger, more complex uses.

At minimum, CEE should require a timestamp and some sort of event classification.

The standard log data should be self describing, possibly in the form of name-value pairs. The next version of Syslog (currently in draft version in IETF) can probably support this within structured data blocks.”

It’s important to caution that the migration towards log and event standards will be a gradual, evolutionary process that won’t replace log and event chaos with a wholly uniform approach. One vendor noted on the call that there are many different eventing/logging use cases and sources, therefore “It would be disastrous to decree a single representational format like XML” and “I don’t see [my company] dropping all investment on rich logging infrastructure and adopting Syslog.”

Even if we don’t get to uniformity, Burton Group strongly agrees that something along the lines of the proposed standard would bring great value to the industry, and we are encouraged by the progress so far. As the ideas become more fully baked, we plan to encourage customers and clients not to wait, but to begin mandating these same log/event coherence concepts (such as event classification, timestamps, and data self-description mechanisms) for the systems and software they buy and develop.

CEE members are also working on defining use cases for event management, and a work-in-progress data dictionary. Now is a good time for security information event management vendors, log management vendors, and enterprise security practitioners to get involved; to participate in or monitor the CEE effort directly, see http://cee.mitre.org/.

Blogger: Dan Blum

There are two groups actively working to create a common event standard that allows event logs and audit records to be shared and understood across many products, and the good news is that they’re talking to each other:

• Common Event Expression (CEE) language, by Mitre 
• X/Open Distributed Audit Standard (XDAS), by Open Group 

The business benefits of creating a common event standard would be considerable:

• Reduced log management and security information event management (SIEM) system integration costs 
  • Reduced volume of event data and simplification of SIEM architecture 
  • Reduced need for (and increased effectiveness of) normalization 
• Reduced cost of integrating new solutions with security management infrastructures and frameworks 
• Lower cost of integrating event management and audit into cross-enterprise applications (such as federated identity management)
• Faster and simpler data exchange between organizations, vendors and incident response services supporting real time response to threats and attacks 
• Better forensics for a common defense 

Late last year, our Burton Group Security and Risk Management Strategies (SRMS) group decided to push the question of event standards with vendors, trade press, and standards groups. But we felt that we needed evidence of end user enterprise interest and involvement to start doing so. Happily, as we began researching the space, we found that Mitre’s CEE was being driven by the EU, NATO and DoD as well as log management and platform vendors. Burton Group held a conference call discussing common event standards and SIEM with members of the International Information Integrity Institute (I-4), and key stakeholders showed up. The Open Group reports that enterprises as well as vendors are getting involved with XDAS. Clearly, enterprises seem ready to focus on this topic.

Of course, there are challenges ahead. Not only is there no complete common event standard out in the field today, there are many partial standards or solutions, including Syslog; the IETF’s Intrusion Detection Message Exchange Format (IDMEF) and Incident Object Description and Exchange Format (IODEF); the Java Specification Request (JSR) 47 Logging API, WS-Management subscribe/publish APIs and so on. Any comprehensive standard released in the future should work with existing technologies like these as much as possible. Also, there are a number of complexities, including mapping event semantics between different systems, synchronizing time while managing clock drift, and maintaining dynamic event handling policies.

Fortunately, the Mitre and Open Group efforts are gaining traction. Mitre has put up a CEE web site and one can ask to subscribe to the CEE mailing list. Mitre has described its scope as covering standard event taxonomy/terminology, log syntax, log transport and recommendations on what types of events and data elements systems should log. Mitre’s specifications are in the draft stage, and publication for comment is “expected 2008” according to the website. That’s pretty indefinite. But we are told that while not complete, these draft documents will reflect a considerable amount for work that has already been done and can be built upon. It is positive that a CEE community representative says Mitre plans to begin by seeking comments on the underlying goals and requirements for event standards. But to establish a broadly accepted industry standard anytime soon, Mitre and the government/defense community it servers will have to accelerate overly lengthy document review cycles and possibly streamline handling procedures designed for classified information rather than open standards deliberation.

As my colleague Bob Blakley wrote in “An Auditing Standard: Has this rough beast's hour come round at last?” last July, Open Group revived prior work on a specification called “X/Open Distributed Audit Standard” (XDAS).  XDAS addresses the concerns necessary to build a robust distributed security auditing system in a mature and complete way, but its 1990s era C and UNIX interfaces need to be updated. Novell, whose Bandit Project incorporates XDAS, has contributed source code to a new open-source project called OpenXDAS (http://openxdas.sourceforge.net/) which makes an XDAS implementation widely available.

As these two standards efforts proceed, we hear mixed signals. There have been some indications of contention; for example, CEE representatives purport to have a strong emphasis on “simplicity,” while some observers have expressed concern that XDAS may be “too complex.” Of course, the other side of the argument could be that CEE will over-simplify issues, but it’s hard to have that discussion when specifications for CEE aren’t publicly available yet.

Fortunately, olive branches have been extended as well. During the Open Group meetings in January, 2008 Burton Group observed the XDAS and CEE leadership discuss ways they could coordinate and avoid overlaps. For example, CEE and XDAS could make sure that XDAS APIs become a CEE-compatible logging transport and, if both organizations produce data dictionaries for events, they could be perhaps formulated to use a common taxonomy and to avoid schema conflicts and overlaps. We’re also hoping that vendors such as Arcsight, Oracle and CA – who have been proactive about proposing specifications or encouraging the industry to create a common event standard – will be become part of the convergence on a common solution.

In the coming weeks and months, Burton Group will keep watching the event standards space and post more information on how matters develop. Please let us know by commenting on this blog if there are other standards efforts we should be watching, compatibility concerns to address, or other issues and questions you’re concerned about. We hope to continue being a voice for convergence and standardization that helps put the industry on the road to a common event standard by 2009.

Photo (C) Ian Glazer All Rights Reserved

Blogger: Bob Blakley

During the Q&A following an SRMS panel I moderated at our recent Catalyst conference, an attendee asked me “What new standard would you most like to see?”.  My answer was “A standard defining mechanisms for generation, collection, and disposition of audit events.”

I’ve wanted this for years, but I’ve not held out a lot of hope.  Auditing has always been the red-headed stepchild of security; everyone grudgingly agrees that it’s important but no one really wants to work on it, because it’s not cool like cryptography (you’ll never see a black syslog t-shirt declaring itself to be a munition).

Imagine my surprise, then, when my proposal drew a warm and enthusiastic response from the audience. The new emphasis on compliance seems to have made the value of good event auditing much clearer than it was fifteen years ago when I first worked on auditing technology.

Clearer to the users, that is… after listening to the audience express its desire for the sort of standard I’d described, the vendors on the panel all donned serious expressions and talked about how hard it would be to get “the vendors” (as if they were talking about someone else!) to agree on such a standard.  One vendor suggested the burden of developing the standard should be handed to NIST, on the grounds that government purchasing could be an adoption driver.

I think that’s a cop-out.  I don’t see any reason – commercial or technical – why an excellent distributed auditing standard couldn’t be developed quickly and adopted widely without resorting to government purchasing schedules and mandates.  I can see lots of reasons why such a standard should be developed, the most important of which is that the standard would supply one of the key missing pieces of the compliance reporting puzzle.

There is some movement in the direction of such a standard.  ArcSight has developed a proposed event record format called “Common Event Format” (CEF for short) and appears to want to standardize it.  It’s a decent start, but it will need more work before it becomes the standard we need.  Most notably, CEF defines only a record format; it doesn’t define service interfaces to allow event producers to notify event consumers that an event has been created and is ready to be processed.  There are also technical deficiencies in the record format itself; it does not contain any mechanism for dealing with clock synchronization issues in distributed environments in which multiple systems are producing events.  This omission makes CEF unsuitable for creating audit records which support forensic determination of the ordering of events which occur on different systems.  Finally, CEF leaves the definition of event types (which are called “Signature IDs” in the specification, in a nod toward the intrusion-detection world) up to the individual event producers, thus inviting both ID conflict issues and proliferation of different names for events of the same type in different systems.  You can get CEF from ArcSight here: http://www.arcsight.com/solutions_cef.htm.

MITRE is apparently starting an effort address some of the issues CEF leaves open through a standardization effort called “Common Event Expression” (CEE).  This effort was announced on several blogs (including here: http://raffy.ch/blog/2007/04/19/standard-logging-format-common-event-exchange-cee/) in April.  But no detailed information about CEE seems to have been published by MITRE yet.

In the meantime, an old standard I worked on all those years ago has been resurrected in not one but two places.  At about the time X/Open and OSF merged to create The Open Group, a standard called “X/Open Distributed Audit Standard” (XDAS) was advanced to “preliminary” status.  XDAS was a great piece of work; it addressed all the concerns necessary to build a robust distributed security auditing system in a mature and complete way.  But it was a child of its time; it was an interface standard for C programs running on UNIX machines.

The Open Group moved on from X/Open’s mission of standardizing UNIX interfaces and OSF’s mission of building distributed system code which could be shared by many vendors, and XDAS got left behind.

But sometimes ideas are too good to die, and it seems that like King Arthur, XDAS was not dead but only sleeping.  The Open Group Security Forum has recognized the need for an audit standard for the modern world, and is revising the specification to remove all the C and UNIX anachronisms and bring the functionality up to date.  The landing page for this effort is here: http://www.opengroup.org/security/.  And Novell, whose Bandit Project incorporates XDAS, has contributed source code to a new open-source project called OpenXDAS (http://openxdas.sourceforge.net/) which makes the XDAS implementation widely available.

Can XDAS be modernized? Can CEF be extended?  What will CEE look like? Which of these efforts should you support?  Or should you press NIST for a standard instead? 

Frankly, I think you should support all of these options.  We’ve been wandering in the audit desert for too long.  Three standards would be infinitely better than none.  One broadly agreed standard would be best of all – especially if that one standard exploited Web 2.0 information distribution channels like RSS.  If we all start going to the meetings, my bet is that the existing efforts will converge pretty quickly on something well-integrated into the Web 2.0 architecture which is lighter than XDAS, more functional than CEF, and more broadly supported than either; this should be the goal.

I’m putting my money (or at least my time) where my mouth is here.  I’ll be at the Open Group Security Forum meeting in Austin next week, working on XDAS again for the first time in a decade.  I’ll let you know how it goes.