OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?


Maybe this is where we're deviating. I am operating under the assumption that we actually want a firewall vendor to be able to produce sightings natively over TAXII.. at least, in the TAXII SC, this has been widely discussed as a goal - we want as many devices able to participate and produce in threat intel as possible. IE, I don't want to have to have a "STIX System" in the middle, introducing delay, just to produce sightings... such a thing may used if desired in some environments, but I don't think we should be assuming having a middle-man is a requirement and immediately limiting future possibilities...

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Taylor, Marlon" ---2015/11/04 11:31:01 AM---The requirement for the hashed-based ID wouldn’t be pla"Taylor, Marlon" ---2015/11/04 11:31:01 AM---The requirement for the hashed-based ID wouldn’t be placed on the FW vendor (or any frontline system

From: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/11/04 11:31 AM
Subject: RE: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?
Sent by: <cti-stix@lists.oasis-open.org>





The requirement for the hashed-based ID wouldn’t be placed on the FW vendor (or any frontline system). It would be placed on whatever system responsible for speaking STIX.

See the scenario:
Frontline products continue to functions without knowledge of STIX.

-Marlon

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent:
Wednesday, November 04, 2015 9:32 AM
To:
Wunder, John A.
Cc:
Taylor, Marlon; cti-stix@lists.oasis-open.org
Subject:
Re: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?

Another reason is, it will slow vendor adption.

Asking a firewall vendor to optionally emit a log in a specific format (a sighting) is probably not that difficult. Asking them to also include in that log a hash of data within, could make their job VERY difficult, as they may not have an accelerated hashing function in their ASIC that can efficiently generate that log.. and doing anything like hashing in software only is not an option for a firewall vendor.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Wunder, John A." ---2015/11/04 10:21:54 AM---Way to ruin our agreement! (just kidding) Here’s why I"Wunder, John A." ---2015/11/04 10:21:54 AM---Way to ruin our agreement! (just kidding) Here’s why I don’t want to require hash-based IDs: it will

From:
"Wunder, John A." <jwunder@mitre.org>
To:
"Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
Cc:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date:
2015/11/04 10:21 AM
Subject:
Re: [cti-stix] Some thoughts on Sightings and conversations to date (Part #4): should sightings have IDs?
Sent by:
<cti-stix@lists.oasis-open.org>






Way to ruin our agreement! (just kidding)


Here’s why I don’t want to require hash-based IDs: it will require (sometimes embedded) systems to support specific hashing functions and have specific data available (the full indicator). That may not always be the case and so while it sounds nice in an ideal world I’m not sure it’s actually practical. So I think it’s fine to allow some communities/tools to work with the hash-based IDs if they want but I don’t think we should force that particular implementation approach on everyone doing sightings.


I actually prefer mandatory IDs on sightings but I’m fine with them being optional, so I’ll step out of that argument.


John






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]