The observation object would probably be removed from CybOX or refactored completely. The question is, should there be a line in the sand and where should that line be? Once we figure out where that line should be, then we can shuffle things around depending on where they should land.
Given where things are at now, I believe, has caused the vast majority of confusion. Lets clean that up, lets organize, lets build some basic process for how we get things done, and lets move forward.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
I agree with this principal - the part I have a hard time wrapping my mind around therefore is the purpose of the "observation" object, other than as a generic container for CybOX... data which could just as easily be in a "pattern" property of any other already-existing object such as indicator or sighting.
If we look at the observation object in TWIGS:
https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit
All it has is a pattern and a timestamp. What is the purpose of this object really? Why would I use this vs. a STIX sighting.
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>John-Mark Gurney ---04/04/2016 07:22:20 PM---Hello, As there has been discussions on Slack on what is covered by CybOX,
From: John-Mark Gurney <jmg@newcontext.com> To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Date: 04/04/2016 07:22 PM Subject: [cti-cybox] What exactly CybOX? Sent by: <cti-cybox@lists.oasis-open.org>
Hello,
As there has been discussions on Slack on what is covered by CybOX, we need to make sure we decide what is in scope and what is not.
IMO, a CybOX object/instance describe exactly one instances of WHAT happened. It does not contain other information about who, when, why or where.
There might be some disagreement on not including where, but I am defining where, as what company/organization observed/created the object. It could be said that where defines the IP/machine of where it happened, but I include that as part of the WHAT, and SHOULD be described as part of the CybOX object. The where does not describe whos machine it was that it happened on. (Though w/ the AS object, there may be some of the where included too.)
I have made some minor modifications to the Overview section. Part of the modification removes attack pattern characterization and sharing of indicators of compromise from the list, as both of these should be described in STIX or another standard that uses CybOX, as other users of CybOX may not have a need for these.
I am mostly happy w/ the text in the Overview section of the Cybox 3.0 Spec pre-draft document at: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#
But if there are things that would make this more clear, please ask, or best of all, suggest normative text.
-- John-Mark
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|