OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti-stix] Applying data markings

Hi Jason,

 

Aligning with Pat’s reference to the TAXII spec and the fact the STIX documents are being shared via other mechanisms than TAXII brings more importance for these cases to the addressed in the spec. (the over engineered statement)

 

Leaning towards the “holes”, you mentioned, we might be creating, I look at this as good things(extensibility) in the spec. CTI will not be able to provide the processing rules for all possible markings placed on a document; However, given the spec, CTI can lay out the expected format(producer) and interpretation of that format(consumer) without going into the further processing (legal/business agreements) around those markings.

 

-Marlon

 

From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com]
Sent: Friday, December 11, 2015 1:59 PM
To: Patrick Maroney
Cc: Aharon Chernin; cti-stix@lists.oasis-open.org; Wunder, John A.; Taylor, Marlon; Barnum, Sean D.
Subject: Re: [cti-stix] Applying data markings

 

Coming up with a specification for markings without any idea how said markings should be consumed or interpreted by the recipient, does not make sense to me. This has always been my gripe with TLP and STIX markings in general.

How will we know if we "get it right" with markings, if we are not starting from a baseline understanding of how a marking should be processed end to end? Without that baseline level of understanding there is not much purpose to the definition of markings... we could be making a standard that has enormous holes in it, or we could be making one that is significantly over-engineered (I doubt it is the latter but could easily be the former)

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for Patrick Maroney ---12/11/2015 02:46:57 PM---Jason, I see many discussions that seem to conflate and cPatrick Maroney ---12/11/2015 02:46:57 PM---Jason, I see many discussions that seem to conflate and confuse a number of topics like "Data Markin

From: Patrick Maroney <Pmaroney@Specere.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>
Cc: Aharon Chernin <achernin@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "'Taylor, Marlon'" <Marlon.Taylor@hq.dhs.gov>, "Barnum, Sean D." <sbarnum@mitre.org>
Date: 12/11/2015 02:46 PM
Subject: Re: [cti-stix] Applying data markings




Jason,

I see many discussions that seem to conflate and confuse a number of topics like "Data Markings" as well. A core tenet of the TAXII Standard has always been the following:

5.2.1 TAXII is Content Agnostic

The TAXII specifications do not provide details about the underlying content formats of records within TAXII. All content formats are a "black-box" as far as TAXII is concerned - none of the behaviors required to process TAXII at the message level require inspection of any information stored within message content. While TAXII Back-ends can have very different processing paths and requirements for different types of information, TAXII Services, Messages, and Exchanges are agnostic as to the information they convey. This allows TAXII to be usable for a wide array of sharing scenarios.



Discussions around "Back-Ends" and STIX "Repositories" are very much implementation specific details from my perspective.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104



President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, December 11, 2015 at 1:24 PM
To: John Wunder <jwunder@mitre.org>
Cc: "Chernin, Aharon" <achernin@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Marlon Taylor <Marlon.Taylor@hq.dhs.gov>, Sean Barnum <sbarnum@mitre.org>
Subject: RE: [cti-stix] Applying data markings

There is something I still to this day don't grock about partial makings, especially the ill-defined "TLP". I feel like not enough thought is placed into how the consumer, specifically a TAXII server, is supposed to implement support for the markings.

If I have a STIX document and it is marked in such a way that I can see 1/2 of that document but not the other, when that document is published to a TAXII channel that I am privy to, what do I receive as a consumer? Do I receive a partial document? Do I not receive the document at all?

If it is the former, then what is the point of having Level 2 markings, and furthermore, how can we ensure the document is not incomplete (for example what if an Indicator I have access to has an observable reference that I do not)?

If it is the latter, how can that be done by the TAXII server without changing the digital signature of the document?

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]