Re: [cti-stix] Re: [sacm] Mind Mapping

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Hi all - after getting the OK, I have created a high level overview of our own internal data model (extracted from a relational database then edited) of assets and vulnerability instances based on how it is modeled in our own software. I do this not to prescribe - but to attempt to inform the conversation - as to some of the things that may need to be considered when modeling IT assets.

Some caveats:

- I have purposefully deleted many other references to object types (mostly surrounding vulnerabilities and scanning) that I don't think are relevant to the STIX conversation at this point

- The "xref" intermediary objects obviously would not exist in STIX, as they aren't required in a true graph model. However they make the model easier to understand so I left them in there.

- There are obviously many more things to be considered than exist here, as the below is currently IPV4/IPv6 centric (not yet taking into account mobile as an example).

Explained in prose:

- An IT asset may have affiliated with it one or more product variants. A product variant is a specific instance of a product, which may be either an operating system instance or an application instance or a firmware instance.
- Those product variants may have one or more vulnerabilities affiliated with them.
- The asset also has a series of hardware interfaces, each of which has a series of one or more IP addresses (this is where the model needs to extend to include other Layer 3 protocols beyond IP).
- The address and interface combination may be affiliated with product variant instances via open TCP or UDP ports, each of which may or may not have affiliated vulnerabilities exposed on those specific instances of the ports.
- The asset may also has a series of affiliated users, which may have one or more account aliases. ** At this point, all of User Identity modeling may come into play.
- The asset may also be present in one or more logical asset groupings (ie NetBIOS group, LDAP group, etc).





-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Jason Keirstead---07/12/2016 01:07:24 PM---I still feel quite strongly that any model which derrives Threat Actors from Assets is going to lose

From: Jason Keirstead/CanEast/IBM@IBMCA
To: Jerome Athias <athiasjerome@gmail.com>
Cc: Tony Rutkowski <tony@yaanatech.com>, cti-stix@lists.oasis-open.org, "sacm@ietf.org" <sacm@ietf.org>
Date: 07/12/2016 01:07 PM
Subject: Re: [cti-stix] Re: [sacm] Mind Mapping
Sent by: <cti-stix@lists.oasis-open.org>

---

I still feel quite strongly that any model which derrives Threat Actors from Assets is going to lose most everyone. It is simply not how the CTI space conceptualizes an Asset.

As to the remainder of the model - our own normalized Asset model that contains most of the objects being discussed, has over 55 entities in it, so there is much more complexity here. 

I am not sure I can actually share a diagram of our data model at a high level... I will look into this.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Jerome Athias ---07/12/2016 12:21:05 PM---I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently no

From: Jerome Athias <athiasjerome@gmail.com>
To: Tony Rutkowski <tony@yaanatech.com>
Cc: cti-stix@lists.oasis-open.org, "sacm@ietf.org" <sacm@ietf.org>
Date: 07/12/2016 12:21 PM
Subject: [cti-stix] Re: [sacm] Mind Mapping
Sent by: <cti-stix@lists.oasis-open.org>

---

I get your point on NFV. Yes and No.
The tool used for this map (FreeMind), from what I currently now of
it, don't allow recursive arrows/relationships. (a lot are missing,
but meantime would make the map messy)
I would envision that Service/API under "Automaton/Service" would
basically 'do the job'. (you could also move
"physical/logical/virtual" to "Automaton/System/Service"...)

Feel free to produce your own abstracted mind map of the cyberspace...
(and listen to Three Little Birds :p)

PS: Ref. the "synthetic-id" concept, if my memory is ok, comes from
Asset Identification https://scap.nist.gov/specifications/ai/
NB: Sean Barnum 'documented' a similar concept, called "identifiers
construct" (see i.e.
https://stixproject.github.io/getting-started/whitepaper/ ) (what was
lost in github issues...)



2016-07-12 17:13 GMT+03:00 Tony Rutkowski <tony@yaanatech.com>:
> In a rapidly emerging NFV world with
> service function chaining and network
> slicing, much of this mind map changes,
> no?
>
> Arguably, one of SACM's major deficiencies
> is its being grounded in a legacy world that
> is fast disappearing.
>
> --tony
>
>
> On 2016-07-12 3:44 AM, Jerome Athias wrote:
>
> Hi,
>
> Sometimes I let my mind doing stuff while listening the Ravel Bolero...
>
> @CTI: Attached is a (not-perfect) high-level asset-centric mind map
>
> @SACM: A Software is an Asset, so here identified by a synthetic-id.
> Also a Software is composed of software components...
>
> Best regards
>
> Refs:
> http://www.frhack.org/research/xorcism.php
> https://en.wikipedia.org/wiki/Bol%C3%A9ro
>
>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>
> --
>
> ________________________________
>
> Anthony Michael Rutkowski
>
> EVP, Industry Standards & Regulatory Affairs
>
> tony@yaanatech.com
>
> +1 703 999 8270
>
> ________________________________
>
> Yaana Technologies LLC
>
> 542 Gibraltar Drive
>
> Milpitas CA 95035 USA

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php