cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Terry MacDonald <terry.macdonald@gmail.com>
- Date: Tue, 10 Jan 2017 09:51:54 -0400
I may not care to see all of these questions
and responses though.
There are public threat intel portals
today with hundreds of thousands of consumers, sure to be millions in the
future. We have to be able to support this kind of scale.
I am not sure it is reasonable to expect
every single entity polling a feed to be forced to see every RFI by everyone
else, if they are not interested. I think this should use it's own TAXII
mechanism, not the existing channel, for this reason.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From:
Terry MacDonald <terry.macdonald@gmail.com>
To:
Jason Keirstead/CanEast/IBM@IBMCA
Cc:
cti-stix@lists.oasis-open.org,
cti-users@lists.oasis-open.org, Terry MacDonald <terry.macdonald@cosive.com>,
Paul Patrick <Paul.Patrick@fireeye.com>
Date:
01/09/2017 04:03 PM
Subject:
[cti-stix] Re:
[cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by:
<cti-stix@lists.oasis-open.org>
Hi Jason,
I think in the scheme of things, the scale of STIX question
and answers will be ordered of magnitude lower than the actual threat intel
being sent around.
The design of the question and answer was specifically
to enable recipients to 'listen in' to the answers, so as to provide them
extra Intel that they may not have. Being able to see what responses other
organisations will in turn allow them to chip in with extra bits that they
have found themselves. This is exactly how the current threat intel sharing
groups operate now - shared encrypted mailing lists that all recipients
see.
Rather than providing new point to point question and
answer functionality, we already have the ability to create a different
community group for the discussions to use. Many communities have separate
mailing list for different topics, and we have the ability to do the same
with TAXII community channels.
As you know an organisation can belong to many different
TAXII communities at the same time, and all TAXII 2 implementations *should*
be able to handle that. This in turn would make it possible for a community
to add a specific question and answer community channel to their community,
and allow for delineation between those who want to see the STIX questions
and STIX answers and those who don't.
That said I firmly believe that the most power is in the
widest number of people seeing the question, and being able to provide
a STIX answer. There have been times when someone providing a seemingly
useless bit of threat intel has unlocked an investigation, and has ultimately
brought miscreants to justice. STIX question/answer will hopefully extract
partial bits of threat intel out of organisations that they may not otherwise
publish as a full assertion, and that can only be a positive thing in my
book.
Cheers
Terry MacDonald
Cosive
On 10 Jan. 2017 07:39, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
wrote:
I am "intrigued
in a good way" as well - but there is a lot of stuff to figure out
here.
One thing I think is missing is ability to subscribe or un-subscribe from
these queries. A TAXII server may host 1M clients. So client X issues an
RFI request and 100K other clients see it - many of whom do not want to
respond to RFI requests. But of those, 20 do - and those 20 responses again
go to 1M clients, instead of just the one who asked the question.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security|
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From: Terry
MacDonald <terry.macdonald@cosive.com>
To: Paul
Patrick <Paul.Patrick@fireeye.com>
Cc: cti-users@lists.oasis-open.org,
cti-stix@lists.oasis-open.org
Date: 12/30/2016
12:20 AM
Subject: [cti-users]
Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by: <cti-users@lists.oasis-open.org>
Intrigued in a good way? :)
On 30 Dec. 2016 2:53 am, "Paul Patrick" <Paul.Patrick@fireeye.com>
wrote:
Terry,
I’m intrigued as it seems we’re back to
looking at how to provide query capabilities in STIX/TAXII instead of just
“what someone has shared”. This is something a lot of our customers
are demanding and having to fill with our own solutions.
Paul Patrick
From: <cti-stix@lists.oasis-open.org>
on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Thursday, December 22, 2016 at 9:01 PM
To: "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>,
"cti-users@lists.oasis-open.org"
<cti-users@lists.oasis-open.org>
Subject: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Hi All,
In my discussion with colleagues, community groups and
customers, one of the question's I keep getting asked about STIX is "Can
I ask the community I'm in if anyone has information about a particular
IP address?". At present my answer is …."Well, actually no.
Not at present. You can only see what others have sent out."
This proposal outlines a way that we could implement this
functionality, allowing STIX/TAXII to support requests for information,
and responses to those requests.
Note: This initial proposal is for community-wide requests
and community-wide responses. Future enhancements in later versions of
STIX could allow for responses back to a single user if there was enough
demand for this functionality.
Cheers
Terry MacDonald |
Chief Product Officer
M: +64
211 918 814
E: terry.macdonald@cosive.com
W: www.cosive.com
This email and any attachments thereto may contain private, confidential,
and/or privileged material for the sole use of the intended recipient.
Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended
recipient, please contact the sender immediately and permanently delete
the original and any copies of this email and any attachments thereto.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]