OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Re: RFI CRE Common Remediation Enumeration


I can see where you headed.  I looked at NIST Asset Reporting Format (ARF) [NISTIR-7694 and NISTIR-7693] at one point as a representation for assets so that I could complete the linkage you mentioned below.

From: <cti@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Date: Thursday, November 5, 2015 at 10:07 AM
To: Paul Patrick <ppatrick@isightpartners.com>
Cc: Patrick Maroney <Pmaroney@specere.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: RFI CRE Common Remediation Enumeration

Right, I see CRE potentially useful as a middleware for a link to NIST SP 800-53 kind of things, for example in the COAs context

I see CCE leverageable via use of an OVAL like language for IT-Assets
And the CAPEC-CWE-CVE-CPE link

PS: sorry if out of scope

On Thursday, 5 November 2015, Paul Patrick <ppatrick@isightpartners.com> wrote:
I looked through the XML schema and its appears to be focused more on human-readable remediation descriptions than machine-based.

With regards to ‘@all’, I completely agree where possible.  Where not possible, we need to be trying to “embrace and extend” where possible so we can leverage the learning that has been done.  


— Paul Patrick


From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Thursday, November 5, 2015 at 9:22 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Jerome Athias <athiasjerome@gmail.com>
Subject: Re: [cti] RFI CRE Common Remediation Enumeration

Jerome,

As always, thanks for sharing timely references to "our thing".  We need to leverage these standards wherever possible/practical.

Question

"CRE enables automation and enhanced correlation of enterprise remediation activities."

I'm not seeing where CRE provides the machine readable specification (or reference to same) required to perform the very specific remediation action(s) to achieve, measure, or validate the remediation objectives/outcomes.

It would seem that the reference to the OVRL specification or some other reference that leads one to the specific OVRL  The only specific external reference I see is the CPE (Common Platform Enumeration)?  

...What am I missing?


@All:  (1) I like the Use Case formats of the NIST documents.  It would be great if we could adopt same or something similar to map to these existing body of work.  (2) Why reinvent taxonomies, descriptions, etc. where substantive instantiations of same (i.e., CCE, CVE, CPE)  already exist?

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

_____________________________
From: Jerome Athias <athiasjerome@gmail.com>
Sent: Thursday, November 5, 2015 8:15 AM
Subject: [cti] RFI CRE Common Remediation Enumeration
To: <cti@lists.oasis-open.org>


Hi

Any info regarding CRE?

Thank you




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]