OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Deconstruction of Cybox observables from STIX reports


Can you wait until STIX v2.0 ? :D

 

At present you would import the data into a STIX compatible data system, would create a feed for each of your tools you need, and would then connect them to your tools. This part is available in a few different tools, Soltra and EclecticIQ come to mind.

 

If the integration/adapter supports it, you could have alerting from your security tool pulled into the STIX compatible data system, which hopefully will recognize the IP address and will create a Sighting under the Indicator object (http://stixproject.github.io/data-model/1.2/indicator/SightingType/). TBH I’m not actually sure which adapters in which products support ingesting Sightings at present. I believe most are one way – outbound – although very happy to be told otherwise!

 

In STIX v2.0 as you’ve seen we are discussing making the Sightings object a top-level object, and as such I expect there will be a lot more use of that ‘feedback loop’. I know I really want to see it as it’s a key part of automating our security tools and getting to that cherished HMM Level 4 (http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-maturity-model.html).

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: Jyoti Verma (jyoverma) [mailto:jyoverma@cisco.com]
Sent: Friday, 30 October 2015 8:03 AM
To: Terry MacDonald <terry@soltra.com>; Barnum, Sean D. <sbarnum@mitre.org>; joep@eclecticiq.com
Cc: cti-stix@lists.oasis-open.org
Subject: Re: Deconstruction of Cybox observables from STIX reports

 

Hi Terry,

 

That’s right. And yes there will be a database to store the STIX indicators.

 

Thanks,

Jyoti

 

From: Terry MacDonald <terry@soltra.com>
Date: Thursday, October 29, 2015 at 1:58 PM
To: Jyoti Verma <jyoverma@cisco.com>, "Barnum, Sean D." <sbarnum@mitre.org>, "joep@eclecticiq.com" <joep@eclecticiq.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: RE: Deconstruction of Cybox observables from STIX reports

 

Hi Jyoti,

 

If I am reading you correctly you are wanting to take a STIX feed and pull out the CybOX objects, then send those to the security tools you have in order to monitor for those Observables? And then when you get a Sighting, send the updated information back into STIX?

 

Is that right?

 

Are you feeding this into a ‘STIX database’ at any stage for long term storage?

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: Jyoti Verma (jyoverma) [mailto:jyoverma@cisco.com]
Sent: Friday, 30 October 2015 6:53 AM
To: Barnum, Sean D. <sbarnum@mitre.org>; joep@eclecticiq.com; Terry MacDonald <terry@soltra.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Deconstruction of Cybox observables from STIX reports

 

Hi,

 

I brought this up during the Cybox call today and taking it offline for further discussion. To recap, we are looking into deconstructing Cybox observables from STIX IOCs for distribution to disparate systems that can deal with them and then at a later point in time, re-construct them back thereby enriching the original IOC. Instead of re-inventing the wheel on this, I was wondering if there is a tool out there that can handle comprehensive use cases. Would love to hear the approach and challenges faced in this process by folks who do this currently. 

 

Thanks,

Jyoti

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]