[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX 2.0 - Sightings object
Bret, I almost always prefer atomic objects.
If we do both a relationship object and a Sightings atomic object together, it just seems... well weird.... (not very scientific I know)
Example Sightings Object - ID: Sighting GUID Marking: Sighting TLP Producer: Who made the sighting Timestamp: Target_ID: Replaced by Relationship Object
Now I am going to be forced to use the relationship object to make the Sighting work. I am also going to be forced to make a potentially large number of new Sighting Objects (since there is a timestamp). Also, a sighting by itself, without the looking into the Relationship object is kind of useless.
We can eliminate this extra complexity by eliminating the atomic Sightings object and replacing it with a relationship type.
Just debating
Aharon Chernin
CTO SOLTRA
| An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
From: Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Thursday, August 20, 2015 11:33 AM To: Davidson II, Mark S Cc: Aharon Chernin; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] STIX 2.0 - Sightings object One thing to keep in mind is that we want the objects as small and simple as possible. Some times to make them more broad you have to add a lot of extra fields. This should be avoided. We want them to be as atomic as possible. Also, if they are separate
then they can grow and evolve independently.
This is one of the many things I do not like about how STIX and CybOX is done today. The excessive use of object oriented reuse makes it nearly impossible to fix or change certain things as that would have adverse effects on other areas that
can not take those changes.
Object reuse is not always a good thing.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]