Yes, we should figure out what we are going to do here ASAP. If we decide to pull fields out of SDOs then I would suggest that we do another Committee Specification Draft (CSD). Maybe we can add in a few other things that are also nearly done.
Keep in mind, we can do as many CSDs as we want before we go to public review and a Committee Specification (CS).
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Symantec PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
If define the Location object now and make it bare bones it allows us to extend as desired to encompass other aspects of location as we sort out the best approach.
I definitely support doing it now, vs delaying and having a bunch of deprecated properties like Country etc. on various STIX objects.
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Allan Thomson ---09/14/2016 08:56:30 PM---The intent will be to allow both civic and gps as options. Depending on the creator of the intel dep
From: Allan Thomson <athomson@lookingglasscyber.com> To: Eric Burger <Eric.Burger@georgetown.edu>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 09/14/2016 08:56 PM Subject: Re: [cti-stix] F2F Topic - Location Object. Sent by: <cti-stix@lists.oasis-open.org>
The intent will be to allow both civic and gps as options. Depending on the creator of the intel depends what they are capable and willing to provide for location. Some may be willing to provide just a country, just a country and region, a city+state+country, a building address+city+state+country, an internal location within a building+building address+city+state+country…..etc. STIX will provide a mechanism to convey location. That’s all. I wouldn’t recommend any normative statements on location granularity or accuracy. That is a both a product and business issue that is best left to customers/orgs using the standard. Allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Eric Burger <ewb25@georgetown.edu> on behalf of Eric Burger <Eric.Burger@georgetown.edu> Date: Wednesday, September 14, 2016 at 2:39 PM To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] F2F Topic - Location Object. Kind of a can of worms. I fully support the idea of using a location element. The thing that can become a rathole is how to identify a location. Is it civil location? If so, what country is Taipei in? Is it GPS coordinates? If so, how do you denote “somewhere in the Czech Republic”? Is it what3words? If so, is there IPR around it? I’ve run into this conundrum in a different context, merging databases that talk about things that happen at locations with databases that talk about crimes that happen in buildings with databases that talk about people near cell towers. The three have different codings for location, and joining them is a hard problem. Much easier to get everyone to agree in a single representation and translate out from there. On Sep 14, 2016, at 5:01 PM, Jordan, Bret <bret.jordan@bluecoat.com> wrote: I think we need a starting point... I have not spend a lot of time yet thinking through this, so I am not the best one to seed the discussion. My topics I am working on are Malware, Infrastructure, and Incident and how they use Observed Data. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sep 14, 2016, at 14:58, Allan Thomson <athomson@lookingglasscyber.com> wrote: Bret – were you looking for a text proposal to be submitted? I was one of the proponents (not the only one) so happy to work together with any other interested parties on a submission for it. allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> Date: Wednesday, September 14, 2016 at 1:49 PM To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: [cti-stix] F2F Topic - Location Object. Another topic that was brought up at the F2F was instead of having Country and Region and what not located on some of the Objects, maybe there should be a "Location" object. The rational, from what I heard, was this would allow you to easily see and pivot in a graph UI all of the objects connected to a certain country or region. It would also get us out of duplicating some of that content on multiple objects. Not sure how this would fit in with Identity though. While this would not really be a breaking change, it would result in the immediate depreciation of some properties (assuming we moved the current CSD to a CS). As such, it might be good to have that discussion now and if needed, we can release another CSD as 2.0-rc3 before we go to public review and a CS.. As I was not one of the ones pushing for this, I will turn the floor over to those that wanted it. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|