The following are comments on the Oasis “Cyber Threat Intelligence
(CTI) Technical Committee” draft charter from Cory Casanave of Model
Driven Solutions.
Basis of interest: Model Driven Solutions is a submitter to the OMG Operational Threat & Risk Model RFP (http://www.omg.org/cgi-bin/doc.cgi?sysa/2014-6-17), which is referenced
in the draft CTI charter (https://lists.oasis-open.org/archives/members/201504/msg00006.html
). There is substantial overlap but some important differences in the
intent and substance
of the OMG standards effort and that as proposed by the Oasis CTI TC.
These comments are intended to help both organizations develop standards
that are in the best interests of the community of vendors, consumers
and other stakeholders.
Of particular importance is making sure that Cyber threats and risks
are not made yet another “stovepipe” as we are faced with a world where
the boundaries between the physical and cyber world are porous and an
estimated 80% of threats
are blended between cyber and physical. Protecting our citizens,
property and critical infrastructure requires that we can “connect the
dots” between all hazards and all risks from threat actors, system
failures and natural disasters. This federation of information
must happen at “machine speed” to enable effective and responsive
analytics and information sharing to prevent and mitigate the impacts of
threats and risks.
The STIX/TAXII/Cybox schema represent
important work within the cyber community for cyber threats and risks.
It is appropriate and necessary that the Cyber community have detailed
and specific exchange formats that are tuned to the needs
of cyber professionals. The same is true of other domains and
“verticals” such as law enforcement, critical infrastructure protection,
terrorism, biological, nuclear, and responses to natural disasters. Yet
these domains and the related organizations must
work closely together, often in difficult and unexpected situations.
To enable the focus needed for specific communities while preserving
cross-community collaboration, information federation and information
sharing the OMG threat & Risk model initiative is creating a
standard UML conceptual model that
federates the concepts from these multiple domains, based on the
existing work such as is found in the STIX/TAXII/Cybox (as well as others). This UML model will then be mapped to the existing exchange formats, such as STIX
(and others), to provide the basis
for semantic and syntactic information federation, analytics and
sharing. The OMG initiative is not defining any new data schema – we
have enough. The RFP has been issued and initial submissions will be
presented in May. The submission team is open (see
http://www.threatrisk.org) and STIX community members have monitored our progress.
To relate the two efforts: The OMG effort is broader and shallower
where as the CTI effort is deeper and narrower. Both efforts intend on
providing UML models of the concepts (this fact is not explicit in the
charter but has been made
public on the STIX lists). The CTI effort is
also specifying exchange data structures such as XML schema, the OMG
effort is not defining any new schema but is mapping between schema
(standard, community or proprietary). However, schema could be generated
from
the UML models. In that the OMG effort has STIX/TAXII/Cybox as a normative input and mapping the proper representation of the broad threat/risk and general concepts within STIX/TAXII/Cybox are or will be defined in the OMG conceptual model. Approximately 75%
of this model has a direct correlation to STIX/TAXII/Cybox such that the STIX/TAXII/Cybox Cyber specific concepts could be considered an extension to the OMG conceptual model.
While STIX/TAXII/Cybox are clearly focused on
Cyber, a reading of the charter where the term “Cyber” was removed
would correspond almost directly to the intent of the OMG threat/risk
effort. What this suggests is that much of what is
needed is in fact cross domain and not specific to Cyber. If not
specific to Cyber there is an almost complete overlap with the OMG
effort. It would be confusing, a waist of effort and a disservice to
both vendors and our defenders to come out with redundant
standards covering almost the same space. As stewards of standards it
is our responsibility to make sure such efforts are coordinated,
complementary and properly scoped.
It is our position that these efforts must be complementary by charter and that the following be included in that charter:
·
That the CTI effort will include a UML representation of Cyber concepts (Our understanding is that this is the current intent)
·
That there will be an explicit mapping of this
model to technology specific schema, such as XML schema (Our
understanding is that this is the current intent)
·
That the CTI UML representation be an extension of the OMG operational threat and risk model (This is an additional constraint)
·
That the OMG effort must include a foundation appropriate for extension to the CTI model (A current requirement of the RFP)
Cross membership and cross participation will ensure that these
requirements are both met and that both efforts meet their objectives.
Based on the substantial time we have spent evaluating both models such
collaboration and integration
is practical and would benefit both efforts.
Regards,
Cory Casanave
CEO, Model Driven Solutions
BoD, Object Management Group
Threat/Risk submitter
The above comments are from Cory Casanave representing Model Driven
Solutions and do not necessarily represent the position of the other
contributors and submitters to the OMG effort. Other stakeholders are
encouraged to also submit
comments to Oasis via carol.geyer@oasis-open.org.