[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
I am 100% behind giving us the ability to communicate asset information. Just not sure it should be in STIX, or OASIS CTI for that matter. If we can do this at a higher level than CTI, then we can use the same asset standard for vulnerability, compliance,
and threats. We could even use it outside of the information security space.
I say we continue using exploit target until we can figure out how to get STIX out of the asset business.
Aharon
From: <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Friday, November 27, 2015 at 7:18 AM To: Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome Athias <athiasjerome@gmail.com> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle ExploitTarget only represents where the "pointy end" of the stick is pointed (attack surface/vulnerability), not the organization or assets behind same. Some of us share the view that there needs to be a top level object that represents the Victim(s)
and their Assets.
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org _____________________________
From: Jason Keirstead <jason.keirstead@ca.ibm.com> Sent: Friday, November 27, 2015 8:08 AM Subject: Re: [cti-stix] Asset: the missing piece in your puzzle To: Jerome Athias <athiasjerome@gmail.com> Cc: <cti-stix@lists.oasis-open.org> Wouldn't an asset just be linked using the already existing facility of @idref on ExploitTarget?
From https://www.sans.org/critical-security-controls to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management Framework, SP 800-53... ... If you don't properly manage your Assets in cybersecurity: you will FAIL. Information obtained from the data that you will manipulate and exchange need to be linked to your Assets, the Assets of others (Supply Chain or Adversaries). So -again-, I invite you to look at http://scap.nist.gov/specifications/ai/ NB: While not perfect, and I can comment further with pleasure on where/why, the Asset concept/construct or relationships (i.e. through GUIDs) is, imho, NEEDED. PS: I will try to put effort on documenting where the current model(s) are currently weak regarding this domain Best regards --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]