OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cacao-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cacao-comment] Request for Feedback


Christopher,

Thank you for your comments and questions. Welcome to the CACAO community. I also apologize for the delay in getting back to you. While CACAO is called out as being for security, it can easily be used for just about any type of playbook. I would love to talk with you more about your specific needs and desires for a parent playbook. I am curious to know what would be needed.Â

The reason for having an identifier for the playbooks is to help them be track about and stored. Also, there is a great desire to be able to tie playbooks back to threat intelligence in a graph database. Most programming languages today have support for generating the IDs, so it should be pretty easy. But once again, I would love to hear your feedback.

There are several efforts under way to build out support for CACAO and build UIs for it. There is a whole initiativeÂin Europe to use CACAO as the officialÂsolution for all member states.

I would love to hear more about your use cases and what you would like to do.

Bret


On Tue, Dec 20, 2022 at 5:48 PM Christopher Halbert <christopher.halbert@gmail.com> wrote:
Hello!

This is my firstÂinquiry with the CACAO TC so I'd like to quickly introduce myself for context. I'm a Staff Engineer forÂa securityÂcompany and I'm working on standardizing my team's incident playbooks with regard to general site reliability, which led me to CACAO. Also, this is my first comment on an OASIS forum, so please bear with my verbosity :)

As I mentioned, I'm viewing an incident through the lens of the ITIL where "an incident is an unplanned interruption to a service, or reduction in the quality of service," opposed to an actual security incident, however the CACAO specification still offers value for my internal needs. With that, I was curious if there had been consideration given to abstracting out a general CACAO playbook specification (not security focused)? A more general schema may exclude "target" and the "workflow: attack" for instance. I know these aren't required but by creating a parent playbook spec, but this could expand application to a broad group, encouraging adoption and contribution long term.

Another item of interest for me is the Identifier specification. I understand the benefit and need for the Identifier, but it does add overhead for manual adoption since a simple template will necessitate a shell command to generate another uuid. This makes sense for a large shareable library spanning organizations, but it could add a hurdle for those considering adoption. With limited adoption, who will open source the GUI to support the data model?

This leads to my last question. Are there any efforts to develop a UI to visualize CACAO or manage CACAO data models? I understand this is likely outside the scope, but I imagine other members may have similar interests. My recent engineering track has been mostly backend/arch focused, but I would be willing to brush up and contribute if there's a group forming.

Thank you again for all of your support and contributions. Kind regards,

Chris Halbert


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]