Patterns

Over the past 8 years or so, the good people at the MITRE Corporation have contributed a set of identifiers that have proven to be very useful to the information security industry. With more on the way, I'd like to share with you my thoughts. Before I begin, I hope these comments are not taken in a negative manner. I have the deepest respect for these people and support them 100%. All of their energy and talent goes in to making our industry more efficient and accurate so next time you're at a trade show and see the MITRE booth, say hi and say thanks.

Everyone is familiar with CVE but you may not have heard of some of the others. I don't know if this is the complete list:

CVE - Common Vulnerability and Exposure
CCE - Common Configuration Enumeration
CPE - Common Platform Enumeration
CWE - Common Weakness Enumeration
CME - Common Malware Enumeration

(I'll refer to all of these at CxE's representing a set containing these members)

The value proposition is that if we all honor these namespaces, we can be assured common identifiers and therefore interoperate with greater precision; when any one of these enumerated objects are referenced either socially or technically, a unique identity is referenced. Other industries have faced this problem and have come up with very useful identifiers that help them address this problem of identity. Could you imaging what the book industry would be like without an ISBN number? Or how about the retail industry and its complex supply chains not having a UPC (Universal Product Code). There is a pattern and that is what I am here to talk about.

The pattern is a category or set containing members that are uniquely indexed. What is interesting is how common this pattern is in every system. What is enumeration and why is this pattern so useful? The dictionary says:

enumerate
v 1: specify individually;
2: determine the number or amount of;

I like to look at the pattern and appreciate its form. We create categories because we like to group like objects. Given any number of objects, we spend cognitive cycles trying to fit them into a set based on some attribute[s]. At the logical level of category there is a loss of individual identity; categorization is really just a cognitive difference-filter. At any point in time, we can jump from the flat category back down to the individual member by its ordered or unordered index. The beauty is in how simple and useful this pattern can be, that is as long as your definition of the problem is simple. What happens when it is not so simple?

Are you still with me? Lets skip ahead 3 years and suppose there are not five common enumeration namespaces but lets say that there are twenty or thirty? Are we better off? When does it end? At which point do these common enumeration need their own common enumeration: CCEE - Common Common Enumeration Enumeration?

What I am going to say right now is not meant to diminish the value of CxE's, it is to ensure that we can continues its success.

The next step is to formally build the RELATIONSHIPS between these objects. There is still value in these CxE namespaces ensuring a unique identifier but there is greater value to be gained by formally declaring how they are all related. Which platform (CPE) is related to a CCE (configuration) or CVE (vulnerability/exposure)? What you would end up with is an ontological representation of the information technology domain. I've spent the past 6 years thinking about this problem have a few ideas to share on how to pull it off. To be ultimately useful and sustainable, it would have to be:

-- cared for by an entity that had international appeal
-- cared for by an entity that has no commercial interest
-- the ontology delivered in machine readable feed
-- distributed authoring of relational properties
-- based on a social networking technology that binds the community together

Our industry requires this to move to the next level of evolution. The value is not in the object, it is in the stable relationships that object has with other objects. Who's with me? Lets get started!

--tk