We are in complete alignment here...
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
I wholeheartedly endorse the notion of making a major change now. I have been advocating that position at maximum volume almost as long as I've been involved in the CTI community
1) We've been debating things like alternative serialization methods and message queuing systems for long enough. We as a community need to take some decisions. One approach would be to say, "Okay, here are the top three serialization methods. Let's form a CTI task force, give them clear evaluation criteria, say, 'Go play with these things for two months, then come back with the pro/cons and a recommendation.'" Same deal for queuing systems.
2) While we're busy constructing a magical CTI tomorrowland, we also have to take into consideration how we're going to achieve a bridge from here to there. If we're going to change the standards to such an extent that the existing MITRE libraries have to be wholesale rewritten, until that _somehow_ happens, the uptake of the new formats will be _severely_ impacted.
Cheers, Trey -- Trey Darley
Senior Security Engineer Soltra | An FS-ISAC & DTCC Company
We need to take in to account the law of the diffusion of innovation and realize that now is the best time to make a major change that will have long term value and benefit. The overall impact right now will be minimal due to the fact that while we have several early adopters, the overall market penetration is still very low.
For us to claim success we need to get north of 18-20% market penetration and I believe we can do it, but to do so we need to identify the stumbling blocks that are preventing deeper market penetration and then have the courage to address and fix them.
Remember my now go to statement, Complexity is easy to build, simplicity is not.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Trey,
Note - This is in regards to the work done on the next 'major' version releases of STIX/TAXII/CybOX, and does not apply to the 'phase 1' projects currently underway.
As with everything, there are negatives and benefits of any approaches we choose. It is imperative that vendor impact is taken into account, just as it is imperative that we review what the end customers of these systems need, so that the standards can provide the value that the customers are seeking. We must do everything to continue the value that STIX/TAXII/CybOX are offering right now. We must ensure that the multitude of users, each with their own valid use cases, are encouraged to provide their inputs into the development process so that the result accurately reflects the needs of the entire community.
But... we also need to take a long hard look at the bits of STIX/TAXII/CybOX that don't work well and improve them. We cannot stand back and leave things the same when we can see parts that don't work as well as they should. Changes should only be made if there is sufficient justification for doing them. And it is up to the Sub-Committee, Technical committees and ultimately the OASIS body as a whole to determine if that justification is valid.
I personally feel that major versions (and the ability to have breaking changes) come along so infrequently that we need to look at all parts of the CTI standards to see where we can do things better. We need to look at everything from better transport mechanisms through to additional fields and even potentially addition STIX objects to be able to describe security situations more accurately. We need to optimise and to investigate use cases and review implementers feedback and to devise enhancements that provide extra value that we haven't even thought of up until now.
Yes, there will be impact on implementers. This was always going to be the case with a standard so new. But if we as a community can make sure that the impact can be minimised, is justified and the benefits outweigh the negatives, then everyone wins.
|