cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Wunder, John A." <jwunder@mitre.org>
- Date: Fri, 30 Oct 2015 14:14:23 -0400
That is kind of the point - there is no way to go back to these automated systems and ask for more info - they don't have it... they have no systems of record to store it in. This will be true of all kinds of security devices:
Firewall
IPS
NGFW
App Sandbox
Endpoint protection *
* Most endpoints have a system of record of IOCs up on a management console somewhere, but not always
All of these device classes could reasonably directly produce observables and sightings, but none of them have systems of record that can make use of IDs for querying.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Wunder, John A." ---2015/10/30 03:10:28 PM---But in those cases wouldn’t the consumers want some way to go back to the producers and ask for more
From: "Wunder, John A." <jwunder@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 03:10 PM
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>
But in those cases wouldn’t the consumers want some way to go back to the producers and ask for more info? Or, when they do, do you think they would just go back with the entire sighting rather than an ID?
It just seems like we have this standard ID mechanism on most things and we should have a very good reason to not follow that pattern here.
On Oct 30, 2015, at 1:56 PM, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
I think on the surface it may seem like they are different and the Org to Org sharing will be easier. But that is only the case when you have a very finite number of people contributing to the eco-system. The problem becomes more complex when every SOC in every major enterprise and mom-n-pop shop starts emitting an Indicator+CybOX+MAEC for the same exact piece of Malware. You could easily have 10,000 IDs for exactly the same thing.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 30, 2015, at 11:50, Wunder, John A. <jwunder@mitre.org> wrote:
I know we hate optionality, but they could be optional. It kind of gets to Jon Baker’s earlier point that organizational sightings have a different use case (and therefore different requirements) than internal tool-based sightings and the same field set may not solve both problems.
John
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]