If I want to share vulnerability/configuration detection information, like you I would use OVAL, CVE, CCE, etc. Why does this need to be an extension supported by CTI?
CTI STIX -> STIX Exploit Target -> CVE <- OVAL Definition
CVE just happens to be the pivot point that we use to determine which OVAL definition. We don’t need to send the OVAL definition via a STIX message. The OVAL definition would be handled out of band from STIX.
Aharon
And btw, if you want to share this example, I recommend to use OVAL for the platform
(Is OVAL extension supported in CTI? And I am not asking about JSON OVAL)
On Friday, 27 November 2015, Struse, Richard < Richard.Struse@hq.dhs.gov> wrote:
I don’t doubt the value of bridging this information in the context of a repository within your organization. However, it is not within the scope
of CTI nor is it information that most organizations would ever dream of sharing outside their boundaries. I see STIX as letting us communicate that a threat is directed at a particular platform (e.g. Windows 7 or RHEL 4.x) or a specific vulnerability (e.g.
CVE-2015-00001) and so on and enabling an organization to link that information with whatever asset-management system and data it has access to.
From:
cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jerome Athias
Sent: Friday, November 27, 2015 9:20 AM
To: Struse, Richard
Cc: Aharon Chernin; Patrick Maroney; Jason Keirstead;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
How will you bridge information related to threats/incidents/vulnerabilities/compliance/configuration... together?
(1M$ Question: what is affected by all of this?)
2015-11-27 17:14 GMT+03:00 Struse, Richard <Richard.Struse@hq.dhs.gov>:
I agree completely. Just because something (like asset information) is important and could be helpful in understanding the potential impact of a
threat doesn’t mean that STIX or any component of CTI needs to define that information model. We need to keep a laser-like focus on Cyber Threat and build bridges to other communities that are looking at asset, configuration or vulnerability information.
I am 100% behind giving us the ability to communicate asset information. Just not sure it should be in STIX, or OASIS CTI for that matter. If we can do this
at a higher level than CTI, then we can use the same asset standard for vulnerability, compliance, and threats. We could even use it outside of the information security space.
I say we continue using exploit target until we can figure out how to get STIX out of the asset business.
ExploitTarget only represents where the "pointy end" of the stick is pointed (attack surface/vulnerability), not the organization
or assets behind same. Some of us share the view that there needs to be a top level object that represents the Victim(s) and their Assets.
_____________________________
From: Jason Keirstead <jason.keirstead@ca.ibm.com>
Sent: Friday, November 27, 2015 8:08 AM
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
To: Jerome Athias <athiasjerome@gmail.com>
Cc: <cti-stix@lists.oasis-open.org>
Wouldn't an asset just be linked using the already existing facility of @idref on ExploitTarget?
Not sure something new needs to be created...
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Jerome
Athias ---11/27/2015 01:49:35 AM---From
https://www.sans.org/critical-security-controls to ISO 27001, through the NIST CSF (#1 Identify
From:
Jerome Athias <athiasjerome@gmail.com>
To:
cti-stix@lists.oasis-open.org
Date:
11/27/2015 01:49 AM
Subject:
[cti-stix] Asset: the missing piece in your puzzle
Sent by:
<cti-stix@lists.oasis-open.org>
From https://www.sans.org/critical-security-controls
to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management
Framework, SP 800-53... ...
If you don't properly manage your Assets in cybersecurity: you will FAIL.
Information obtained from the data that you will manipulate and
exchange need to be linked to your Assets, the Assets of others
(Supply Chain or Adversaries).
So -again-, I invite you to look at
http://scap.nist.gov/specifications/ai/
NB: While not perfect, and I can comment further with pleasure on
where/why, the Asset concept/construct or relationships (i.e. through
GUIDs) is, imho, NEEDED.
PS: I will try to put effort on documenting where the current model(s)
are currently weak regarding this domain
Best regards
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|