[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: [EXT] Re: [cti] type changing from "object" to "array"for cyber observable objects
The facts are not as one-sided as proponents of “we got the design wrong” might indicate. Observables are a Top Level Object in STIX 1.x, so we have plenty of experience with that design
choice. That choice has drawbacks, which I will elaborate on. In practice, observables as a Top Level Object reduce information density significantly. STIX 1.x Indicators usually have 1-4 observables associated with them. (Don’t forget that STIX 1.x
uses observables to represent logical operators (AND, OR); so the statement “IP1 or IP2” uses three observables to express.) From the threat intelligence Soltra sees (and we have processed objects in the tens of millions), observables as a Top Level Object reduce information density by 50% in the best case, and
80% in the “worst common case”. Products using the graph model spend 50%-80% more time evaluating database queries, can fit 50%-80% less information on screen, etc, unless they take liberties with the “standard” data model. The aforementioned drawbacks have caused Soltra to internally consider a departure from the “standard” data model, an option that’s still on the table for us. Anyone else processing STIX
at any scale will also have noticed these effects, and will likely have had similar discussions.
In short, while there are pros and cons to both approaches (TLO or not), I think we made the pragmatic and correct choice for STIX 2.0 and do not have a desire to revisit the discussion. Thank you. -Mark From:
<cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> STIX2.0 is a significant step in the right direction over STIX1.x. Is it perfect? No. Is it usable for some key use cases and exchange of threat intelligence, now? Absolutely yes. Today a large part of intelligence sharing using STIX1.x (unfortunately) has focused on indicator sharing and if we had the majority of the industry adopt STIX2.0 and TAXII2.0 solely on doing that problem better
we would have made a good step forward. I suggest we keeping working hard on making sure STIX/TAXII2.0 is adopted by organizations and get real products exchanging the content we already have defined in STIX2 in an interoperable manner. Improvements coming in STIX2.1+ only help this but we should not block or hold up the good progress we have in STIX2.0 and Interoperability over STIX1.x. Looking forward to catching up at the F2F. regards allan From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Struse, Richard J. <rjs@mitre.org> +1 We need to focus on delivering so that people can implement what we've defined and we can learn from real-world experience.
From:
Sarah Kelley <Sarah.Kelley@cisecurity.org> Date:
Thursday, Oct 05, 2017, 1:51 AM To:
Wunder, John A. <jwunder@mitre.org>, Trey Darley <trey@newcontext.com>,
Bret Jordan <Bret_Jordan@symantec.com> Cc:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> Subject:
Re: [cti] Re: [EXT] Re: [cti] type changing from "object" to "array"for cyber observable objects I agree with John and Trey. The STIX 2.0 spec is done and people are already working on building tools for it. It would extremely counterproductive to make backwards breaking changes, especially
of this magnitude, at this point. We need to give people the chance to work with what we’ve done and see how well it flies.
Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org - 1-866-787-4722 From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message
and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]