Sent: Monday, October 14, 2019 2:58 PM
To: Allan Thomson <athomson@lookingglasscyber.com>; Allen Hadden <ahadden@us.ibm.com>
Cc: Bret Jordan <Bret_Jordan@symantec.com>; cacao@lists.oasis-open.org <cacao@lists.oasis-open.org>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: [EXT] RE: [cacao] Agenda for next Tuesday's call
All,
I would like to add in some experimentation that JHU/APL has done with BPMN for Playbooks before we all dismiss the concept of using BPMN.
First â we determined that we only need a small subset of the BMPN symbols for the flow. Second, we worked with Demisto and Cybersponse tools to âtranslateâ the XML produced from BPMN to the SOAR Platform native language. For Cybersponse â that was JSON (they did the translation for us). For Demisto â we created the XML-YAML translation using Python. We found that â although there are numerous (40+) free BPMN tools available, we could use the python code to translate any of the BPMN XML outputs to YAML.
I have attached one of our BPMN (we called them workflows) playbooks and its XML output (these were demonstrated at one of our IACD ICs). To see the video of this go to: https://www.youtube.com/watch?v=sG1S3BIpqrM
Bottom-line â there needs to be some sort of tool that can be used to create the playbooks and output some machine readable code. We chose BPMN because itâs already a standard, most tools are free and many are pretty straight forward to use. Is it overkill? Maybe, BPMN is powerful but its far simpler than creating our own. The advantage to BPMN also includes having one tool that can be used to generate both the graphic representation for the developers/consumers to understand and machine readable code for SOAR Platforms to ingest. We have also taken a Cybersponse Playbook â converted it to BPMN XML, altered it in BPMN and then uploaded it to Demisto, successfully.
If you want more information and workflows (CACAO playbook) examples please see: https://www.iacdautomate.org/playbook-and-workflow-examples
Thanks, look forward to tomorrowâs call.
Karin W. Marr
â 240-228-7760 | 📱 240-381-4421
From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org>
On Behalf Of Allan Thomson
Sent: Monday, October 14, 2019 10:05 AM
To: Allen Hadden <ahadden@us.ibm.com>
Cc: Bret_Jordan@symantec.com; cacao@lists.oasis-open.org; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: Re: [cacao] Agenda for next Tuesday's call
Allen â I âthinkâ we (or at least you and I do) agree that BPMN is probably overkill for what we need.
To re-iterate my perspective, I think a subset of what BPMN does in JSON is sufficient for âmostâ requirements. Iâm not sure I agree the JSON translation that was pointed to is the best approach from my perspective. Taking something that was designed for XML and much broader uses is not necessarily the most effective way to design something.
My point was that the group should discuss the pros/cons in the upcoming meeting on approaches (not just BPMN) so that we can have consensus on an approach that works for all orgs participating.
Regards
Allan
From:
Allen Hadden <ahadden@us.ibm.com>
Date: Monday, October 14, 2019 at 5:08 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: "Bret_Jordan@symantec.com" <Bret_Jordan@symantec.com>, "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>,
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: RE: [cacao] Agenda for next Tuesday's call
Our product uses BPMN for playbooks today. I'd say that there's nothing that CACAO will want to do that cannot in some way be represented in BPMN. There is nothing (or at least very little) in BPMN that wouldn't be useful for CACAO. This shouldn't be surprising since BPMN is intended to express business processes and what we're talking about with playbooks are exactly that...business processes, but in the security domain.
The problem is that if you look at BPMN, a lot of what's there would just be considered "nice to have" from a CACAO perspective. Good example: swim lanes. Could you come up with a CACAO use case that could make use of swim lanes? Sure. Would they be required? Not really.
A lot of the advanced BPMN features are only useful when you start trying to express general organizational playbooks (e.g. CompanyX's Malware Process) instead of playbooks targeted at mitigating specific threats (e.g. Mitigate MalwareX).
Another problem is that full BPMN is so large that realistically the only way to develop a product with it is to integrate an existing BPMN product. Implementing your own would be a ton of work and adapting it to fit a less flexible model in an existing product would be tough. So on the one hand, it's great to be able to leverage an existing library. OTOH, is that a position we want to take as a spec?
One option worth of consideration is to take the JSON-translation that Jason K. linked and define the following:
1) a "whitelist" showing which elements are to be included (e.g. don't include "swim lanes" if we don't think they're important).
2) specific extensions to the model (BPMN supports extension elements and we'd very likely need some...for example, "service tasks" for OpenC2, Ansible, etc.)
3) object models on which the process will depend (e.g. it could be that a playbook works against a "threat", which would probably be a STIX model)
Probably there are other things we'd need besides those 3, but that should get the ball rolling if we decide to consider that path.
Allen
----- Original message -----
From: Allan Thomson <athomson@lookingglasscyber.com>
Sent by: <cacao@lists.oasis-open.org>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>
Cc: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: [EXTERNAL] Re: [cacao] Agenda for next Tuesday's call
Date: Fri, Oct 11, 2019 7:56 PM
The intention is to take relevant lessons from BPMN.
We debate whether we want to have only a subset or the entire BPMN for this given that BPMN covers a much broader perspective/goal.
When we discussed this in the past the smaller group felt that we didnât need or want the burden of the entire BPMN. It comes with both complexity and a burden to support all of that when for cybersecurity operations a subset may be fine.
Allan
From: <cacao@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, October 11, 2019 at 3:55 PM
To: Bret Jordan <Bret_Jordan@symantec.com>
Cc: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Agenda for next Tuesday's call
Isn't this BPMN in JSON? https://github.com/bpmn-io/bpmn-moddle/blob/master/resources/bpmn-io/json/bioc.json
-
Jason Keirstead
Chief Architect - IBM Security Threat Management
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: Bret Jordan <Bret_Jordan@symantec.com>
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Date: 10/11/2019 05:03 PM
Subject: [EXTERNAL] [cacao] Agenda for next Tuesday's call
Sent by: <cacao@lists.oasis-open.org>
All,
On next week's working call we will be talking through the initial work that has been done on the specification document [1] and addressing next steps. Please review the document before the call and if possible, add your comments and suggestion. There are many parts that are still missing, we have just barely scratched the surface. Please feel free to make some contributions.
We have been looking at JSONLogic as an option for some of the control logic. But if someone has more familiarity with BPMN and could do a translation to JSON, that would also be a possible option for us.
Thanks
Bret and Allan
[1] - https://docs.google.com/document/d/1uQCWItomFvQ466MdGhx_0IHfJ4HOfboIRftmomVvrqY/edit#