Re: [cti-stix] STIX timestamps and ISO 8601:2000

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

This sound a bit theoretical to me... but as you say, a few bits is relatively cheap so I will not debate

So, the proposal is that all timestamps should be RFC3339 with nanosecond precision, in GMT. Does anyone have an argument against this?


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Trey Darley ---11/23/2015 10:19:00 AM---On 23.11.2015 09:24:18, Jason Keirstead wrote: >

From: Trey Darley <trey@soltra.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Barnum, Sean D." <sbarnum@mitre.org>, Patrick Maroney <Pmaroney@Specere.org>, Jerome Athias <athiasjerome@gmail.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Wunder, John A." <jwunder@mitre.org>
Date: 11/23/2015 10:19 AM
Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000
Sent by: <cti-stix@lists.oasis-open.org>

---

On 23.11.2015 09:24:18, Jason Keirstead wrote:
> 
> * I would like to see this declared though - what is the actual (not
> theoretical) use case for nanosecond accuracy of an observation or a
> production?
> 

Hey, Jason -

One might envisage the need to characterize a malware dropper behavior
with nanosecond precision. (If not today, then it's completely
feasible in future.) Given how cheap the extra bits are, I'm in favor
of standardizing on this level of precision as a sort of
future-proofing. 

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"For all resources, whatever it is, you need more." --RFC 1925
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]