Re: [cti-stix] STIX: Messaging Standard vs. Document Standard

["Jordan, Bret" <bret.jordan@bluecoat.com>]

I am very aware of both sides and have lots of experiences with both groups.  

The number of people that use STIX and share STIX data today is not representative of the number of people that will use it in the future, if we are successful.  In fact, the early adopters that have a high level maturity will be orders of magnitude smaller in size and volume.  

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Nov 30, 2015, at 16:08, Patrick Maroney <Pmaroney@Specere.org> wrote:

re: "We make a LOT of assumptions that people and organizations are going to do anything more than just process indicators (meaning block them on their firewall or proxy).  Most, honestly, do not care.  They may share sighting information back to their own internal tools.  But I doubt many will share sightings back to the larger community.   The general council's of most organizations will prohibit that for many years to come."

Although I understand the basis for the assumptions you are making in your assertions, many organizations are currently sharing details on sightings (including attributional data for Targeting Analysis in some "Communities of Trust").  Our primary issues are that a majority of this sharing is still done by manual "Copy & Paste" of unstructured data which wastes Analyst time for Producers and Consumers, and delays the sharing of Actionable Intelligence.

Most assertions made to this community are based on real world issues and challenges we face today in the CTI Operational Domain not "assumptions that people and organizations are going to do".

Patrick Maroney

Office:  (856)983-0001

Cell:      (609)841-5104

<C690F973-64C5-4C00-889B-C1A5BB4A2A0B[4].png>

President

Integrated Networking Technologies, Inc.

PO Box 569

Marlton, NJ 08053

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com>
Date: Monday, November 30, 2015 at 5:44 PM
To: Terry MacDonald <terry@soltra.com>
Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Richard Struse <Richard.Struse@HQ.DHS.GOV>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, John Wunder <jwunder@mitre.org>
Subject: Re: [cti-stix] STIX: Messaging Standard vs. Document Standard

Re: It’s a symbiotic relationship!

It is only a symbiotic relationship, if the two organizations are communicating.  We make a LOT of assumptions that people and organizations are going to do anything more than just process indicators (meaning block them on their firewall or proxy).  Most, honestly, do not care.  They may share sighting information back to their own internal tools.  But I doubt many will share sightings back to the larger community.   The general council's of most organizations will prohibit that for many years to come.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail