Re: [cti-stix] Labels property

[Jerome Athias <athiasjerome@gmail.com>]

Yes sir

The cybersecurity industry suffers from immaturity in the sense that the path integrate/standardize/automate is needed.

APIs in products are good to have and help for integration. But if not standardized at the inter exchange level, like what we do here for the data interchange format: no or difficult automation.

Benefits of the efforts of standardization at the categorization/classification level are clear for the community (note that my objective is serving the community, not the industry). Example of such would be CVE, CWE, CAPEC.

It allows (at least in theory, meaning when properly understood and implemented (i.e. To make it work, and not just to add another "compatible with" logo for marketing)) automation via more interoperability between tools.

I'm ok with a Label, basically tagging (attach any word(s) you want to a thing) mechanism.

But, the benefits of common predefined controlled vocabularies for the end users (and sorry if you don't like some enumerations, if it doesn't match vendor A's one, or if 'difficult' (wow some costs) to implement) are high.

(If one would argue against it, me happy to develop or prove me I'm wrong)

So, I put that as a warning: "everything open"/"do what you want" approach for "flexibility" (or other reason$) will not, imho, help for optimization of the standardization effort 'we' have been working on here for 3+ years, and so, imhho, would not be optimized for the end users.

Mappings are killing automation and have been pita for IT security ( for those who actually do the job).

Take it as a warning against laziness 

On Wednesday, 3 August 2016, Allan Thomson <athomson@lookingglasscyber.com> wrote:

What does?

That a field is optional?

Allan

On Tue, Aug 2, 2016 at 2:50 PM -0700, "Jerome Athias" <athiasjerome@gmail.com> wrote:

This would, imho, go against interoperability and especially against automation.

On Tuesday, 2 August 2016, Wunder, John A. <jwunder@mitre.org> wrote:

Hey everyone,

 

One topic that has come up recently is what to do about the labels property. Labels is similar to Gmail labels or tags…it’s a list of strings used to categorize an object. Some STIX Objects have a suggested vocabulary defined for the labels field, other objects don’t.

 

Right now, when the labels property DOES have a suggested vocabulary for that STIX Object, the field is required. This means that labels are required on indicator, incident, malware, course of action, report, threat actor, and tool. Since lists require a minimum of one item, that means each of those objects must have at least one label at all times.

 

On the other hand, if there’s no suggested vocabulary for a STIX Object, the field is optional. So labels are optional for attack pattern, campaign, intrusion set, observed data, source, victim target, vulnerability, relationship, and sighting.

 

Allan (and IIRC others, though to be honest it’s hard to follow these conversations sometimes) have suggested making the labels property optional across all STIX Objects. This would be more consistent, but it would mean that on objects where you could previously rely on a label (e.g. indicator) you cannot. It also means there’s more optionality.

 

That might be fine, but I thought it was worth bringing up. In particular, some fields (e.g. Indicator Type, Malware Type) used to be their own field but are now rolled in to labels. Given this change, that data now becomes optional.

 

What do you think? Any objections to making the labels property optional across the board? Anybody want to second it? Any other options?

 

Thanks,

John