[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Applying data markings
Coming up with a specification for markings without any idea how said markings should be consumed or interpreted by the recipient, does not make sense to me. This has always been my gripe with TLP and STIX markings in general.
How will we know if we "get it right" with markings, if we are not starting from a baseline understanding of how a marking should be processed end to end? Without that baseline level of understanding there is not much purpose to the definition of markings... we could be making a standard that has enormous holes in it, or we could be making one that is significantly over-engineered (I doubt it is the latter but could easily be the former)
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Patrick Maroney ---12/11/2015 02:46:57 PM---Jason, I see many discussions that seem to conflate and confuse a number of topics like "Data Markin
From: Patrick Maroney <Pmaroney@Specere.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>
Cc: Aharon Chernin <achernin@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "'Taylor, Marlon'" <Marlon.Taylor@hq.dhs.gov>, "Barnum, Sean D." <sbarnum@mitre.org>
Date: 12/11/2015 02:46 PM
Subject: Re: [cti-stix] Applying data markings
There is something I still to this day don't grock about partial makings, especially the ill-defined "TLP". I feel like not enough thought is placed into how the consumer, specifically a TAXII server, is supposed to implement support for the markings.
If I have a STIX document and it is marked in such a way that I can see 1/2 of that document but not the other, when that document is published to a TAXII channel that I am privy to, what do I receive as a consumer? Do I receive a partial document? Do I not receive the document at all?
If it is the former, then what is the point of having Level 2 markings, and furthermore, how can we ensure the document is not incomplete (for example what if an Indicator I have access to has an observable reference that I do not)?
If it is the latter, how can that be done by the TAXII server without changing the digital signature of the document?
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]