We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue. The reason for that is you can not guarantee that the other end of the link will honor your request. Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.
But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it. Requests like that may go in to a bucket for human review.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Thanks for the context, Sarah - very helpful. To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense. At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore. Regards, Ivan On 11/10/15, 12:31 PM, " cti-cybox@lists.oasis-open.org on behalf of Sarah Kelley" < cti-cybox@lists.oasis-open.org on behalf of Sarah.Kelley@cisecurity.org> wrote: Just to give a little context around this question, this came up in a conversation between Ali (well, several Soltra people) and myself today.
In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’ an observable. Currently this involves editing the indicator, deleting the link to the current Cybox observable, and creating a new observable. This leaves lots of orphaned observables in our database that we really need to have the ability to purge. The understanding we have is that currently Cybox doesn’t support any sort of revoke/purge like Stix does.
Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email: cert@cisecurity.org www.cisecurity.org Follow us @CISecurity
On 11/10/15, 11:06 AM, "cti-stix@lists.oasis-open.org on behalf of Kirillov, Ivan A." <cti-stix@lists.oasis-open.org on behalf of ikirillov@mitre.org> wrote:
Great question Ali; unfortunately I don’t have much insight into this topic. Moving this to the STIX list - I think revocation is more specific to STIX (though it clearly touches upon CybOX as well).
Regards, Ivan
On 11/10/15, 11:00 AM, "cti-cybox@lists.oasis-open.org on behalf of Jerome Athias" <cti-cybox@lists.oasis-open.org on behalf of athiasjerome@gmail.com> wrote:
Potential review of this https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/ Suggestions welcome
2015-11-10 18:48 GMT+03:00 Ali Khan <akhan@soltra.com>:
What is the cybox committees discussion so far for future versions to support ability to revoke and remove completely a cybox observable that was created and then shared but now there is a need to remove it.
Thank You
Ali Khan Lead Analyst
SOLTRA | An FS-ISAC & DTCC Company
Tampa, fl 33647
813.470.2197 | akhan@soltra.com
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|