Over the past few years, I've been involved with a number of ESG Research projects all pointing to a few common problems. Even in the most sophisticated shops, security teams struggle to collect the avalanche of security data generated from different log files and tools, analyze this data in a proactive manner, or find the proverbial needle in the haystack indicating anomalous behavior.
The data also indicates that this situation is getting worse. Why? IT continues to scale - bigger data centers, multi-core processors, and faster networks mean more activity to sort through. Couple this with burgeoning technologies like cloud platforms, server virtualization, and mobile devices and you've got scale and new protocols, traffic patterns, and behavior to follow. Let's face it, IT is in a constant state of change and change is the enemy of security. If I don't know what's on the network or what state it's in, how can I protect it effectively?
Addressing this situation won't be easy and I, like many of my security colleagues, believe that we will need to collect, process, and analyze a heck of a lot more data to make this happen. This was a big topic at the RSA Conference - Big data analytics meet security requirements. The problem here however is that we don't have a lot of time to piece together a major custom project a la NSA. Furthermore, we need to simplify the security data taxonomy so we can make security data actionable as soon as possible.
Enter the Common Event Expression (CEE) standard, a group effort being championed by Mitre Corporation. Other participants include Cisco, HP/ArcSight, McAfee, NIST, and Microsoft. CEE seeks to solve a basic problem that doesn't get enough attention. Every IT device and application generates log files but there really are no standards for how these logs present their data. As a result, you either have to learn what the log files are telling you or develop technologies to normalize these logs into some common and useable format. It's easy to see how this has become such a big problem - more IT stuff, more logs of different flavors that need to be collected, normalized, processed, etc.
CEE is designed to address this problem from cradle to grave by defining common event definitions, enumeration, classification, languages, transport protocols, etc. In other words, everything from event/log production to event/log consumption is covered.
Mitre is no stranger to security standards-think CVE (Common Vulnerability Enumeration). That said, CEE is not the only game in town. The Linux community has something called "Project Lumberjack," Verizon touts a standard called Verizon Enterprise Risk and Incident Sharing (VERIS), and the IETF is playing in this space as well. CEE doesn't necessarily compete with these other efforts however since it is extensible and could work in concert with other standards.
I noticed that Sensage and Tripwire have announced support for CEE and would encourage others to do the same. CEE is not a panacea by any means, but enterprise organizations need better security intelligence and analytics ASAP and no one should expect them to invest years of time and tens of millions of dollars to piece together customer solutions. Security standards like CEE can go a long way toward expediting common security data standards, wider data exchange, and deeper analysis. For that reason alone, the security technology industry should be much more engaged.
You can read Jon's other blog entries at Insecure About Security.