OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Asset: the missing piece in your puzzle

Up to you then.

An interesting one on Ontology 

On Friday, 27 November 2015, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
+1 Rich...  We have a hard enough time coming to consensus on seemingly easy things.  Lets first build a bridge that solves the issues we know with the current idioms and then lets gain massive adoption.  Once we have those two things, we can look at other things.

Lets not put the freeways before the horse and buggy, or even lets not put the cart before the horse.  Or more in line of where we really are at, lets first figure out how to ride and tame a horse.  



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Nov 27, 2015, at 07:14, Struse, Richard <Richard.Struse@HQ.DHS.GOV> wrote:

I agree completely.  Just because something (like asset information) is important and could be helpful in understanding the potential impact of a threat doesn’t mean that STIX or any component of CTI needs to define that information model.   We need to keep a laser-like focus on Cyber Threat and build bridges to other communities that are looking at asset, configuration or vulnerability information.
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Aharon Chernin
Sent: Friday, November 27, 2015 8:31 AM
To: Patrick Maroney; Jason Keirstead; Jerome Athias
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
I am 100% behind giving us the ability to communicate asset information. Just not sure it should be in STIX, or OASIS CTI for that matter. If we can do this at a higher level than CTI, then we can use the same asset standard for vulnerability, compliance, and threats. We could even use it outside of the information security space. 
I say we continue using exploit target until we can figure out how to get STIX out of the asset business. 
From: <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Friday, November 27, 2015 at 7:18 AM
To: Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome Athias <athiasjerome@gmail.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle

ExploitTarget only represents where the "pointy end" of the stick is pointed (attack surface/vulnerability), not the organization or assets behind same.  Some of us share the view that there needs to be a top level object that represents the Victim(s) and their Assets.

Patrick Maroney
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org
From: Jason Keirstead <jason.keirstead@ca.ibm.com>
Sent: Friday, November 27, 2015 8:08 AM
Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
To: Jerome Athias <athiasjerome@gmail.com>
Cc: <cti-stix@lists.oasis-open.org>

Wouldn't an asset just be linked using the already existing facility of @idref on ExploitTarget? 

Not sure something new needs to be created...

Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 

Jerome Athias ---11/27/2015 01:49:35 AM---From https://www.sans.org/critical-security-controls to ISO 27001, through the NIST CSF (#1 Identify

From: Jerome Athias <athiasjerome@gmail.com>
To: cti-stix@lists.oasis-open.org
Date: 11/27/2015 01:49 AM
Subject: [cti-stix] Asset: the missing piece in your puzzle
Sent by: <cti-stix@lists.oasis-open.org>

From https://www.sans.org/critical-security-controls
to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management 
Framework, SP 800-53... ... 
If you don't properly manage your Assets in cybersecurity: you will FAIL. 

Information obtained from the data that you will manipulate and 
exchange need to be linked to your Assets, the Assets of others 
(Supply Chain or Adversaries). 

So -again-, I invite you to look at http://scap.nist.gov/specifications/ai/ 

NB: While not perfect, and I can comment further with pleasure on 
where/why, the Asset concept/construct or relationships (i.e. through 
GUIDs) is, imho, NEEDED. 

PS: I will try to put effort on documenting where the current model(s) 
are currently weak regarding this domain 

Best regards 

To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at: 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]