by Anton Chuvakin | December 11, 2012 | Comments Off on Our Log Standards Paper Publishes
Recently I updated a paper originally written by Dan Blum called “Event and Log Information: A Strong Case for Standards” and it just got posted to the site: “A deficit of globally accepted event and log standards is exacerbating compliance, operations and information protection challenges. This document provides an update on current standardization efforts and offers recommendations on what organizations should do about such data standardization.”
A key quote follow:
“The IT industry suffers from a lack of standards for event, log and threat information exchange. Regulatory requirements to retain, protect and destroy log data continue to increase. Organizations need better situational awareness and cost control across complex IT security event horizons. The good news is that standards efforts are under way within forums such as Mitre’s Common Event Expression (CEE) group. The bad news is that adopting standards will be challenging for software vendors because it affects literally every piece of software. Organizations can benefit now from internal event, log and threat information standardization, but they also need to push security vendors much harder toward supporting the emerging industry standards.”
The paper also contains a brief discussion of a rapidly changing field of threat and incident data exchange standards:
“The following is a brief summary of some of the ongoing efforts in the domain:
- The Structured Threat Information eXpression (STIX) effort is driven by Mitre. STIX "is primarily intended as a concrete straw man for ongoing collaborative development of a structured threat information expression language among a community of relevant experts" (STIX FAQ v 0.3). In other words, its goal is to enable people and organizations to share threat information in order to detect these threats and then build defenses collaboratively (see the CybOX site and STIX white paper for details).
- The Trusted Automated eXchange of Indicator Information (TAXII) effort seeks to create "a set of protocols and representations that enable the representation and automation-supported sharing of behavioral cyber threat indicators." It is a companion effort for STIX (see the official TAXII sitefor details).
- OpenIOC is a vendor-developed standard for sharing the data useful for discovering threats already present on a network, known as "indicators of compromise." 2 It "is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise" (see OpenIOC for details).
- An older security-data-sharing standards effort called Incident Object Description Exchange Format (IODEF) has been revived and extended "to support structured cybersecurity information" by the Managed Incident Lightweight Exchange (MILE) WG . The group seeks to "develop standards and extensions for the purpose of improving incident information sharing and handling capabilities." The results of its work were published in May 2012. As with other related efforts, it also aims "to facilitate enriched cybersecurity information exchange among cybersecurity entities."
- The Incident Data eXchange WG (IDXWG) at US-CERT is working on ways to share security incident data models, threat indicators and other relevant security data using existing and emerging standards (see this presentation for details).”
Somewhat related content:
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.