The Linux Foundation Embraces CASE for Cybersecurity Forensics

The Linux Foundation announced today that a Cyber-Investigation Analysis Standard Expression (CASE) initiative has become a community project within an existing Cyber Domain Ontology (CDO) effort.

CASE is an ontology-based specification that makes it easier to aggregate data and analytics generated by a wide range of cybersecurity tools.

AWS Builder Community Hub

Eoghan Casey, presiding director of CASE, said the goal is to make it easier for organizations to correlate the data generated by a diverse range of security tools to reduce the time required to ascertain the root cause of a security breach.

The CASE project was initially launched in 2014 as a collaboration between the Cyber Crime Center (DC3) created by the U.S. Department of Defense (DoD) and MITRE. The National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, also contributes along with the Netherlands Forensic Institute (NFI), the Italian Institute of Legal Informatics and Judicial Systems (IGSG-CNR), FireEye and the University of Lausanne.

CASE is based on the Hansken trace model, which was developed and implemented by the NFI to align with Unified Cyber Ontology (UCO). CASE and UCO are both now built on SHACL constraints to validate data. The CASE contributors are currently developing a representation for inferences, both human-formulated and computer-generated, to bind investigative conclusions to both supporting evidence and specific chains of custody.

The CASE community also makes available multiple collaborative repositories and tools, including translators for common digital forensic tool outputs as well as mapping of CASE to the provenance ontology created by the World Wide Web (W3C) consortium.

The Ontology Committee set up by the Linux Foundation, meanwhile, brings together developers from diverse backgrounds to share experiences and battle test ontologies.

Casey said the goal is to encourage cybersecurity vendors to embrace a common data specification that reduces the amount of time and effort required to conduct cybersecurity forensics both before and after a cybersecurity attack. The more analysis that can be applied to an IT environment, the more likely a cybersecurity attack can be thwarted, he noted.

The common data specification should also make it easier to eventually build artificial intelligence (AI) models that are trained using a pool of data collected from multiple cybersecurity tools and platforms, said Casey.

It’s not clear to what degree cybersecurity vendors will embrace CASE but Casey noted that the underlying formats used to collect data do not provide those vendors with any form of differentiated value. It makes sense for vendors to collaborate on a specification that helps normalize all the data being collected, he noted.

One way or another, the tolerance cybersecurity teams have for tools that don’t easily integrate with one another is dropping. At a time when cybersecurity attacks are simultaneously increasing in volume and sophistication, most organizations don’t want to spend time normalizing data. The expectation is that cybersecurity vendors will find a way to cooperate with one another for the greater good of the customers they serve. It may be a while before the bulk of cybersecurity vendors reach that conclusion, but the CASE specification is clearly a significant step in the right direction.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 659 posts and counting.See all posts by mike-vizard