Re: [cti-stix] Asset: the missing piece in your puzzle

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Wouldn't an asset just be linked using the already existing facility of @idref on ExploitTarget?

Not sure something new needs to be created...

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Jerome Athias ---11/27/2015 01:49:35 AM---From https://www.sans.org/critical-security-controls to ISO 27001, through the NIST CSF (#1 Identify

From: Jerome Athias <athiasjerome@gmail.com>
To: cti-stix@lists.oasis-open.org
Date: 11/27/2015 01:49 AM
Subject: [cti-stix] Asset: the missing piece in your puzzle
Sent by: <cti-stix@lists.oasis-open.org>

---

From https://www.sans.org/critical-security-controls
to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management
Framework, SP 800-53... ...
If you don't properly manage your Assets in cybersecurity: you will FAIL.

Information obtained from the data that you will manipulate and
exchange need to be linked to your Assets, the Assets of others
(Supply Chain or Adversaries).

So -again-, I invite you to look at http://scap.nist.gov/specifications/ai/

NB: While not perfect, and I can comment further with pleasure on
where/why, the Asset concept/construct or relationships (i.e. through
GUIDs) is, imho, NEEDED.

PS: I will try to put effort on documenting where the current model(s)
are currently weak regarding this domain

Best regards

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php