OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Things that are difficult in STIX


I would be in favor of ISO8601 as I suggested in the best practices guide.   We need to have something that is rigid and defined, not open ended for people to do anything and its dog.  

yyyy-mm-ddThh:mm:ss.ssss+-hh:mm

I am not against UNIX EPOC if the majority of people want to go that way.  But I see it as either ISO8601 with the format I have shown above or UNIX EPOC with some sort of time zone element.  The nice thing about the format above is it includes the timezone offset.  






Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Nov 19, 2015, at 11:37, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

I did not realize timestamps had to follow ISO8601.... they certainly don't in the wild. I see all kinds of different variations of timestamps...some people have them, some don't, some include milliseconds, some don't, some include nanoseconds, some don't, sometimes there is a timezone, sometimes not...

It would be highly desired that STIX 2.0 have a very strict and mandator timestamp format, accurate at a minimum to the millisecond, declared in the schema - or even simpler, just use UNIX EPOC for timestamps, which would do-away with most of the need for that parsing load.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>Terry MacDonald ---11/18/2015 03:42:55 PM---Thanks Jason. Good point on the timestamps. I’ve haven’t mentioned them directly – more in passing u

From: Terry MacDonald <terry@soltra.com>
To: Jason Keirstead/CanEast/IBM@IBMCA, John Anderson <janderson@soltra.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 11/18/2015 03:42 PM
Subject: RE: [cti-stix] Re: Things that are difficult in STIX
Sent by: <cti-stix@lists.oasis-open.org>





Thanks Jason.

Good point on the timestamps. I’ve haven’t mentioned them directly – more in passing under the Versioning topic. It could be a good idea to add them when we add the document to the issue tracker/wiki.

We may not strictly need them for versioning reasons if we decide to go for Major versioning only, but we probably still should need them to help with generating timelines to aid with analysis.

As and aside, timestamps must be in ISO8601 format, and should include time zone wherever possible
(http://stixproject.github.io/documentation/suggested-practices/#creating-timestamps)

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent:
Thursday, 19 November 2015 4:37 AM
To:
John Anderson <janderson@soltra.com>
Cc:
Terry MacDonald <terry@soltra.com>; cti-stix@lists.oasis-open.org
Subject:
Re: [cti-stix] Re: Things that are difficult in STIX

I think this document is excellent!

One I would like to add that I don't see present - timestamps. The fact that timestamps are (a) optional, and (b) have an undefined format (no required ISO format string), makes STIX very painful to work with as a consumer. All we have are best practices, which are not always adhered to, and even the best practice is inconsistent with respect to things like how to treat time zones.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>John Anderson ---11/18/2015 10:55:13 AM---Terry, Thank you. This document explicitly points out many of the "pain points" I (as a recent induc

From:
John Anderson <janderson@soltra.com>
To:
Terry MacDonald <terry@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date:
11/18/2015 10:55 AM
Subject:
[cti-stix] Re: Things that are difficult in STIX
Sent by:
<cti-stix@lists.oasis-open.org>






Terry,
Thank you. This document explicitly points out many of the "pain points" I (as a recent inductee to the STIX/CybOX implementor's club) have felt. I am very encouraged by your vision of the future.


My two favorites are:
        • ​top-level Relationship object -> This foundational shift will greatly KISS the data model. Bring it on!
        • top-level Opinion object -> Can I "+1" this idea? <0F347492.gif>
The rest is good, too, and I look forward to a greatly-improved STIX 1.2 that's very close to your proposal.
JSA




From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry@soltra.com>
Sent:
Tuesday, November 17, 2015 8:47 PM
To:
cti-stix@lists.oasis-open.org
Subject:
[cti-stix] Things that are difficult in STIX

Hi All,


We’ve spent a bit of time over the last 2 weeks thinking about where STIX could be improved. We’ve gone through the various discussion points that people have raised on and off list, and through the various experiences that we’ve had ourselves in using STIX. The attached document is the result of that work. In it we list 25 topics that we believe could be improved in some way (or at least should be discussed).


Our hope is that the document will help prompt discourse, and move us towards consensus so that we can agree some of the cross-cutting major issues that Sean mentioned in his STIX v2.0 Roadmap wiki page. We plan to add these items to the STIX issue tracker, and to the STIX v2.0 Roadmap wiki page, so that they are accurately tracked and followed.


Please feel free to provide feedback on this document – positive or not – as the end goal is making something that was better than before. We have thick skins
J.

Also - thank you to all who provided items for inclusion in the list. I haven’t named people as I wasn’t sure if they wanted their names public. But please accept my thanks for your input.


Cheers


Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA
| An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com






Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]