Re: [cti] CTI interest in NIEM?

[duncan sfractal.com <duncan@sfractal.com>]

Great question! Itâs almost as hard to explain NIEM to CTI as it is to explain CTI to NIEM 😊.

 

Overall info on OASIS NIEMOpen project is at https://niemopen.org. The overall GitHub page is https://github.com/niemopen which has a readme with links

 

The project has a PGB (https://lists.oasis-open-projects.org/g/niemopen-pgb) of the sponsors (see https://niemopen.org/ and scroll down to premier and general sponsors â Jeff it your case you might not DoD Joint Staff is on PGB), but work is done in 3 Technical Steering Committees which are open to all:

• NTAC (NIEM Technical Architecture Committee) Technical Steering Committee
• https://lists.oasis-open-projects.org/g/niemopen-ntactsc
• has links to calendar, mailing list archives, etc
• https://github.com/niemopen/ntac-admin
• Github repo with docs. Readme explains what it does. Basically the architecture and things like XML, JSON, structure of the model, etc
• Note Jim Cabral is one of cochairs and also member of cti
• NBAC (NIEM Business Architecture Committee ) Technical Steering Committee
• https://lists.oasis-open-projects.org/g/niemopen-nbactsc
• Has links to calendar. Mail list archives, etc
• https://github.com/niemopen/nbac-admin
• Github repo with docs. Readme explains what it does. But this is where the 17 domains live â with cyber being one of the domains.
• NMO (NIEM Management Office) Technical Steering Committee
• https://lists.oasis-open-projects.org/g/niemopen-nmotsc
• has links to calendar, mailing list archives, etc
• https://github.com/niemopen/nmo-admin
• Github repo with docs. Bascially the people herding cats

 

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: MATES, JEFFREY F CIV USAF AFOSI AFOSI/DC3/XT <jeffrey.mates@us.af.mil>
Date: Tuesday, August 22, 2023 at 1:15 PM
To: duncan sfractal.com <duncan@sfractal.com>
Subject: RE: [cti] CTI interest in NIEM?

Stupid question, but where I can get the information about the NIEM Zoom meetings?

 

//SIGNED//

 

Jeffrey Mates, Civ DC3/TSD

Computer Scientist

Technical Solutions Development

jeffrey.mates@us.af.mil

 

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of duncan sfractal.com
Sent: Tuesday, August 22, 2023 12:19 PM
To: Jason Keirstead <jason.keirstead@cyware.com>; Vasileios Mavroeidis <vasileim@ifi.uio.no>; MATES, JEFFREY F CIV USAF AFOSI AFOSI/DC3/XT <jeffrey.mates@us.af.mil>
Cc: 'Jim Cabral' <Jim.Cabral@infotrack.com>; 'cti@lists.oasis-open.org' <cti@lists.oasis-open.org>
Subject: [Non-DoD Source] Re: [cti] CTI interest in NIEM?

 

To Jasonâ comment âif the goal would be to adopt NIEM inside STIX itselfâ â I donât think anyone is proposing that (caveat below). NIEM is the standard the USG, itâs allies, state/local/tribal/territorial govs use for interacting within themselves, between each other, and with industry. Objective is to get NIEM to take advantage of STIX.

 

NIEM is actually enshrined in a couple of US laws for US federal agencies to use it. Itâs been going on for 20 years as a USG effort and recently (~1 year ago) moved into open standards development. In many domains, itâs active and in use. Cyber, for whatever reasons, doesnât have many people working on it. Since it has been around awhile, it is technologically dated IMHO. For example, it is XML based, and is in process of allowing JSON but still with XML as base (ie you specify in XML and convert to JSON-LD). Itâs not that people donât want to move forward â but someone has to do the work.

 

My only caveat on Jasonâs comment would be if NIEM were to choose to use terms/semantics etc that were not the same as STIX, then it could cause interworking issues â particularly IMHO wrt legal/court/law-enforcement. So my hope is we can keep them in sync â but it takes effort and someone has to do it.

 

Thank you to those offering to help out. I hope to see you at on future NIEM zooms.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: Jason Keirstead <jason.keirstead@cyware.com>
Date: Tuesday, August 22, 2023 at 8:51 AM
To: Vasileios Mavroeidis <vasileim@ifi.uio.no>, MATES, JEFFREY F CIV USAF AFOSI AFOSI/DC3/XT <jeffrey.mates@us.af.mil>
Cc: 'Jim Cabral' <Jim.Cabral@infotrack.com>, duncan sfractal.com <duncan@sfractal.com>, 'cti@lists.oasis-open.org' <cti@lists.oasis-open.org>
Subject: Re: [cti] CTI interest in NIEM?

I think the question is going to be around the goal of the effort. If the effort surrounds a mapping or ontological exercise to/from NIEM, I am sure no one in the TC would be against that work product, it could be a great resource if someone wanted to take on that work, they can fill their boots. However, if the goal would be to adopt NIEM inside STIX itself, I think that would be a very, very long hill to climb and you will encounter a lot of resistance â it would be a lot of work and more importantly a huge industry disruption for questionable benefit to the end consumer.

 

-- 

Jason Keirstead 
Vice President of Collective Threat Defense
jason.keirstead@cyware.com

 

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Vasileios Mavroeidis <vasileim@ifi.uio.no>
Date: Tuesday, August 22, 2023 at 2:56 AM
To: MATES, JEFFREY F CIV USAF AFOSI AFOSI/DC3/XT <jeffrey.mates@us.af.mil>
Cc: 'Jim Cabral' <Jim.Cabral@infotrack.com>, 'Duncan Sparrell' <duncan@sfractal.com>, 'cti@lists.oasis-open.org' <cti@lists.oasis-open.org>
Subject: RE: [cti] CTI interest in NIEM?

Hi,

 

+1 for outreach and assistance from my side. 

 

Most of the time, lack of awareness is the main issue. What can I do with your technology, and how it supports mine (use case driven)? Have we ever had the works presented to the TCs of interest? Possibly many members do not even know the existence of NIEM (and other relevant works).

 

Intersecting the two works is not something challenging. Yes, some objects are repetitive, but I don't see a significant issue. It's all about being willing to approve this recommendation and add it as best practice on the documentation/website for support.

 

The fairest point came from Keven. If ontologies were introduced, technologically speaking, integration would be almost seamless, with the need to add only some extra semantics for equivalences and reasoning. That's for powerful analytics/context; otherwise, traditional programmatic approaches can still work.

 

Best,

Vasileios Mavroeidis

 

On Aug 21, 2023 23:25, "MATES, JEFFREY F CIV USAF AFOSI AFOSI/DC3/XT" <jeffrey.mates@us.af.mil> wrote:

Iâm very interested in providing outreach and assistance.  Reading through their Cyber Domain I think we could do a look of good helping to normalize this across both standards, and it also might help flesh out some parts of the Incident that we missed.

Ultimately the final format doesnât matter, what matters is that the moving between these should be seamless and the lessons learned in a community can help others when confronted with similar problems.

 

//SIGNED//

 

Jeffrey Mates, Civ DC3/TSD

Computer Scientist

Technical Solutions Development

jeffrey.mates@us.af.mil

 

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Jim Cabral
Sent: Sunday, August 20, 2023 10:59 PM
To: Duncan Sparrell <duncan@sfractal.com>; cti@lists.oasis-open.org
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: [cti] CTI interest in NIEM?

 

Firstly, I am hopeful that Duncan and others can help discover and continue to evangelize opportunities for CTI and NIEM to collaborate.

 

That said, I join Duncan in my concerns that others in the CTI community have not yet embraced NIEM as a model for exchanging information between and among domains. As a long,-term proponent of NIEM and related standards for cross-domsin information sharing, we welcome feedback as to whether this gap is due to unfamiliarity with the NIEM or whether it is to due to specific design choices we in the NIEM technical or business committees have made.

 

Regardless of whether the CTI community embraces NIEM as a standard for sharing information across domains, we request the CTI stakeholders provide feedback to NIEM regarding any gaps in our current approach

 

Thank you,

 

__

Jim Cabral

502-640-4970

 

---

From: "duncan sfractal.com" <duncan@sfractal.com>
Sent: Sunday, August 20, 2023 3:54 PM
To: cti@lists.oasis-open.org
Subject: [cti] CTI interest in NIEM?

 

Is there interest in getting NIEM to adopt STIX terminology at a minimum and maybe STIX âin totoâ?

 

Background:

NIEM is an OASIS Open Project (http://niem.github.io/ ) to standardize work the US Government has been doing for several decades (https://www.niem.gov/) for standardizing information exchange within and between federal agencies, State/Local/Tribal/Territorial governments, as well as with private industry. NIEM is quite prevalent in the courts, law enforcement, and legal profession, as well as in select industries (ag agriculture, emergency management, transportation, miliary, â) where the USG had needs for standardizing information exchange. For example, when you get pulled over for a speeding ticket, it's NIEM standards that allow the local police to check what other tickets you got, whether your car was stolen, whether you are wanted for other crimes etc. And itâs unfortunately also how the insurance company knows you got a ticket so they can hike your rates 😊.

 

For whatever reason, the âcyber domainâ does not have much support (I believe Iâve been sole attendee with any interest). NIEM sort of acknowledges STIX1.2, as a way to exchange threat information. It will take text/PRâs/editing/etc to actually have NIEM use the current version of STIX.

 

Personally I think this is important, especially as more and more cyber cases end up in court; as well as cyber becomes more important to more industries. However at NIEM meetings, I feel like that Greek guy forever pushing the boulder up hill.

 

Is anyone else interested in participating in NIEM cyber activities? Without more support, Iâm thinking dropping my participation in that effort.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

Disclaimer ***************** This email contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by email and delete the original message. Further, you are not to copy, disclose, or distribute this email or its contents to any other person and any such actions are unlawful.  You should carry out your own virus checks before opening the email or attachment. Cyware Labs reserves the right to monitor and review the content of all the messages sent to or from this email address. Messages sent to or from this email address may be stored on the Cyware's email system. *** ******** End of Disclaimer ********