OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Targeting in STIX 2.0

If you think this would make things easier and simpler to understand and make the overall sizes smaller, then absolutely.  Now that we are all getting real world experience with massive amounts of STIX data, we should have these types of discussions.  I know for us, we are only generating 200,000 STIX packages a day, with all of the CybOX and MAEC pieces and all of the related TTP stuff as best we can tie it all together, but each one of them is HUGE. 


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 21, 2015, at 10:57, Aharon Chernin <achernin@soltra.com> wrote:

Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.

I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.

Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).

Questions:
  1. Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x?
  2. If so, where would it go? A new top level object *sigh*? Or maybe in another existing object?

-- 
Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]