OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Proposal - Top Level Sighting Object

Well said, and I agree.  This also really gets to the heart of some of the problems with what an Indicator actually is, versus, what people think it is.   I think when people are referring to an indicator, what they really mean, is the CybOX Observable.  

If we can get Sightings pulled out of the indicator and made to be small, light-weight object that can be sent by itself, then this could be really powerful.  This coupled with the relationship object, could enable a whole slew of new vendor products to emerge.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Jul 27, 2015, at 05:35, Aharon Chernin <achernin@soltra.com> wrote:

Agree, I would like to see this in STIX 2.0.

It just doesn't make sense to have the sighting only available to us at the indicator level. Since when do you see someone else's assertion?

Example indicator: My brother is evil (<-- the assertion) because he keeps hitting me in the face (<-- the fact). Watch for people who hit siblings in the face.
* If a third party is watching for this, would they see evil or would they see face hitting? They would see face hitting (fact) and they could optionally make their own assertion of evilness (indicator).
** Maybe the brother is batting a wasp off the other person's face, who knows.

Indicator sightings also require us to issue a STIX major revision for an indicator, just to issue a sighting. As I have predicted before, in some cases sharing communities could be sharing millions of "sightings" indicators and only thousands of "real" indicators. Which just seems odd to me.

By using a sightings object, we can quickly create a small reference to an object that has been sighted (most likely an observable). But, other objects could be referenced as well.

Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com

________________________________________
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Friday, July 24, 2015 5:55 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal - Top Level Sighting Object

Well since this list is completely quite, time to get back to work.

I would like to see a top level Sighting Object that can be sent with only references to what it is sighting.  This needs to be very light weight.

Bret

Sent from my Commodore 64
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]