Consider how much we rely on standards in our daily lives. When you plug in a power cord in the U.S., for example, you can reliably count on the plug and socket to match, regardless of manufacturer, regardless of location. Towards this same end, MITRE is collaborating with industry and Government to develop common approaches that enable a collective response to ever-changing cyber threats.

At MITRE, our focus has been to develop and expand the use of common terminology and structures to allow for collaboration and communication across the cybersecurity community. These efforts include providing registries of baseline security data, establishing standardized languages as a means for accurately communicating cybersecurity information, defining proper usage of cybersecurity concepts, and helping support community approaches for commonly accepted cybersecurity processes.

One of our earliest attempts to systematically name security vulnerabilities was the Common Vulnerabilities and Exposures (CVE®) list, which enables correlation among security products, services, and organizations. CVE is recognized as the standard for naming vulnerabilities, and well over 100 products and services from more than 75 vendors have achieved CVE compatibility. Under DHS sponsorship and in collaboration with the CVE Editorial Board, MITRE works as the independent third party to advance CVE, maintain the CVE List, and ensure that CVE serves the public interest.

MITRE is also working on two new initiatives for sharing cyber threat information: the Trusted Automated eXchange of Indicator Information (TAXII™) and the Structured Threat Information eXpression (STIX™), sponsored by the Department of Homeland Security. TAXII defines a set of protocols for securely exchanging cyber threat information for the detection, prevention and mitigation of cyber threats in real time. STIX provides a common format for cyber threat information, including cyber observables, indicators of compromise, incidents, TTPs (techniques, tactics, and procedures), and campaigns. Together, TAXII and STIX will enable threat-sharing communities to exchange actionable, structured threat intelligence to promote collective defense.

We are continuing to collaborate in similar community efforts surrounding vulnerability management, software assurance, application security, asset management, enterprise reporting, malware protection, configuration management, event management, remediation, and threat information sharing. These efforts include:

Cybersecurity Registries

• Common Vulnerabilities and Exposures (CVE®) - common vulnerabilities identifiers
• Common Attack Pattern Enumeration and Classification (CAPEC™) - common attack patterns
• Common Weakness Enumeration (CWE™) - software weakness types

Cybersecurity Languages/Formats & Protocols

• Open Vulnerability and Assessment Language (OVAL®) - language for determining vulnerability and configuration issues
• Trusted Automated eXchange of Indicator Information (TAXII™) - protocols and formats for secure automated exchange of cyber threat information
• Structured Threat Information eXpression (STIX™) - language for representing structured threat information
• Cyber Observable Expression (CybOX™) - language for cyber observables
• Malware Attribute Enumeration and Characterization (MAEC™) - language for attribute-based malware characterization
• Common Event Expression (CEE™) - the way in which computer events are described, logged, and exchanged
• Common Weakness Scoring System (CWSS™) - scoring of weakness severity to help to determine urgency and priority
• Common Weakness Risk Analysis Framework (CWRAF™) - framework for applying CWSS customized to the specific needs of an organization's business or mission

Learn more by visiting MITRE's Making Security Measurable website.

Featured Items

• Dark Reading: "Attack Intelligence-Sharing Goes 'Wire-Speed'"
• National Institute of Standards and Technology Computer Security Resource Center Website
• Department of Homeland Security Build Security In Website
• Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action White Paper