( For the record here - I am not actually suggesting we abandon STIX/TAXII for email or any other such thing - I am trying to trigger some debate that will hopefully allow better understanding of use cases)
To counter your points below...
(1), (2), and (4), while accurate, do not really have anything to do with TAXII and are more about the STIX content being transmitted. Therefore, Email or not would not preclude these... ("mailing list == trust circle")
(3) is, in my opinion, grasping at straws a bit...
I think this H2H use case needs to be thought out very, very thoroughly on how it would work. The way you design a protocol for instant near-real time communication between systems is not the same way you design a protocol for delayed communication between people. Its IM vs. Email. The use cases are totally different and the idea that we can make one protocol elegantly fill both use cases seems unlikely.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown 
"Jane Ginn - jg@ctin.us" ---2015/11/03 12:51:11 AM---Jason: Here are some thoughts as to why H2H communications through a Threat Intel Platform works bet
From: "Jane Ginn - jg@ctin.us" <jg@ctin.us>
To: Jason Keirstead/CanEast/IBM@IBMCA, Bret Jordan <bret.jordan@bluecoat.com>
Cc: achernin@soltra.com, cti-stix@lists.oasis-open.org, jbush@dtcc.com, joep@eclecticiq.com, mdavidson@mitre.org, Pmaroney@Specere.org, sbarnum@mitre.org, terry@soltra.com, trey@soltra.com
Date: 2015/11/03 12:51 AM
Subject: Re: [cti-stix] STIX Sightings
Sent by: <cti-stix@lists.oasis-open.org>
Jason:
Here are some thoughts as to why H2H communications through a Threat Intel Platform works better than through encrypted email:
1. Trust circle conditions have already been worked out in advance for each of the members that have been onboarded onto a platform... therefore the human analyst can stay focused (in real time) on the problem at hand (e.g., incident response, data enrichment, TTP analysis, attribution elements synthesis, etc..) and once he/she has some information (or data) for responding to an RFI...he/she can just do it, without having to create a distribution list.
2. Trust circle conditions that have been worked out on advance may include such things as: security level data classifications (i.e., data markings), confidence intervals (stemming from the reliability and credibility of the source), classifications for the type of information being shared (e.g., situational awareness reports, IoCs, malware artifacts, etc...). Again... if all of this is worked out in advance it saves the analyst time and energy and makes the process more efficient.
3. The size of the membership of an ISAC or ISAO may be such that an email with a large distribution list may be detected as spam ... and filtered out of a recipient's in-box.
4. The Threat Intelligence Platform can be designed to have streamlined interfaces with other network tools so findings from an RFI can be immediately uploaded to a network device (e.g., a Snort snippet).
There are other reasons, as well, I'm sure. These are just a few off the top of my head.
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us
-------- Original Message --------
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, October 30, 2015 10:36 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Subject: Re: [cti-stix] STIX Sightings
CC: Aharon Chernin <achernin@soltra.com>,cti-stix@lists.oasis-open.org,"Jonathan Bush (DTCC)" <jbush@dtcc.com>,Joep Gommers <joep@eclecticiq.com>,Mark Davidson <mdavidson@mitre.org>,Patrick Maroney <Pmaroney@Specere.org>,"Sean D. Barnum" <sbarnum@mitre.org>,Terry MacDonald <terry@soltra.com>,Trey Darley <trey@soltra.com>
- (1) Analyst from member company of ISAC "X" detects SpearPhish, DDOS, Scanning, etc. and want's more information from other members within ISAC "X"
(2) ISAC "X" Analysts send an RFI through an intermediary like the NCI (National Council of ISACs) to all other NCI Member Sector ISACs. What do you know about "Y", Have you seen "Z", etc.
(3) Analyst "A" has Malware sample and needs to submit it to Agency "B" to establish actionable IOCs ASAP.
So essentially the primary use case is H2H. AKA:
- - Human A enters RFI
- It gets delivered to Human B,C,D into some type of inbox
- Eventually, Human B,C,D will see the request, and respond (or not)... minutes to hours to days later (?)
- Said replies go to Human A
It feels to me like it is a re-invention of Email?
"But they use free form data blobs over email and IM. "
Is the solution to simply use STIX over SMTP?
I am trying to envision what the protocol is here, that makes this data flow work any better than an encrypted email.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]