Re: [cti-stix] Applying data markings

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Friday, December 11, 2015 3:25 PM
To: Jason Keirstead
Cc: Patrick Maroney; Aharon Chernin; cti-stix@lists.oasis-open.org; Wunder, John A.; Taylor, Marlon; Barnum, Sean D.
Subject: Re: [cti-stix] Applying data markings

Jason, I see us transitioning and "growing up" with STIX and TAXII. For the past few years most of the "exchanges" were really STIX documents as a whole. They went from Human to Human via a structured markup. But there was no real work flow or analysis or automated processing. A human used a tool to create a STIX document and sent it via the tool to another tool that showed the document to a human.

As we mature, we (you and I and several others) are looking at this as a whole work-flow and how devices and sensors in the network may contribute to or consume these documents and do something with them in an automated way. This is the challenge and one of the reasons why we all are looking for change in STIX 2.0...

Lets figure out how we can make data-markings work, how we can apply them to work-flow and process and do things, as you say, end-to-end.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Dec 11, 2015, at 11:59, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Coming up with a specification for markings without any idea how said markings should be consumed or interpreted by the recipient, does not make sense to me. This has always been my gripe with TLP and STIX markings in general.

How will we know if we "get it right" with markings, if we are not starting from a baseline understanding of how a marking should be processed end to end? Without that baseline level of understanding there is not much purpose to the definition of markings... we could be making a standard that has enormous holes in it, or we could be making one that is significantly over-engineered (I doubt it is the latter but could easily be the former)

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<graycol.gif>Patrick Maroney ---12/11/2015 02:46:57 PM---Jason, I see many discussions that seem to conflate and confuse a number of topics like "Data Markin

From: Patrick Maroney <Pmaroney@Specere.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>
Cc: Aharon Chernin <achernin@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "'Taylor, Marlon'" <Marlon.Taylor@hq.dhs.gov>, "Barnum, Sean D." <sbarnum@mitre.org>
Date: 12/11/2015 02:46 PM
Subject: Re: [cti-stix] Applying data markings

Jason,

I see many discussions that seem to conflate and confuse a number of topics like "Data Markings" as well. A core tenet of the TAXII Standard has always been the following:

5.2.1 TAXII is Content Agnostic

The TAXII specifications do not provide details about the underlying content formats of records within TAXII. All content formats are a "black-box" as far as TAXII is concerned - none of the behaviors required to process TAXII at the message level require inspection of any information stored within message content. While TAXII Back-ends can have very different processing paths and requirements for different types of information, TAXII Services, Messages, and Exchanges are agnostic as to the information they convey. This allows TAXII to be usable for a wide array of sharing scenarios.

Discussions around "Back-Ends" and STIX "Repositories" are very much implementation specific details from my perspective.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104

<0A807276.gif>

President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, December 11, 2015 at 1:24 PM
To: John Wunder <jwunder@mitre.org>
Cc: "Chernin, Aharon" <achernin@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Marlon Taylor <Marlon.Taylor@hq.dhs.gov>, Sean Barnum <sbarnum@mitre.org>
Subject: RE: [cti-stix] Applying data markings

There is something I still to this day don't grock about partial makings, especially the ill-defined "TLP". I feel like not enough thought is placed into how the consumer, specifically a TAXII server, is supposed to implement support for the markings.

If I have a STIX document and it is marked in such a way that I can see 1/2 of that document but not the other, when that document is published to a TAXII channel that I am privy to, what do I receive as a consumer? Do I receive a partial document? Do I not receive the document at all?

If it is the former, then what is the point of having Level 2 markings, and furthermore, how can we ensure the document is not incomplete (for example what if an Indicator I have access to has an observable reference that I do not)?

If it is the latter, how can that be done by the TAXII server without changing the digital signature of the document?

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

cti-stix message