cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [cti-users] Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>
- Date: Wed, 11 Jan 2017 10:21:05 -0400
Sorry - to be clear, I am not concerned
about information overload by humans. I am more concerned about load on
the system, or even perceived load.
If I have a public threat intel repo
with 1+ M consumers on a channel, and each consumer asks 1 question a day,
then the end subscriber system of the intel feed is receiving 1M feed updates
/ day ( over 10 updates a second on average ) - even though there has been
no actual new intel, and they were possibly not interested or involved
in this exchange.
Can we at least define some separate
channels for RFI instead of using the existing ones?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From:
"Struse, Richard"
<Richard.Struse@HQ.DHS.GOV>
To:
Terry MacDonald <terry.macdonald@gmail.com>,
Jason Keirstead/CanEast/IBM@IBMCA
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>, "Terry MacDonald" <terry.macdonald@cosive.com>,
"cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>,
Paul Patrick <Paul.Patrick@fireeye.com>
Date:
01/10/2017 03:48 PM
Subject:
RE: [cti-users]
Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX
Question and STIX Answer
Sent by:
<cti-users@lists.oasis-open.org>
I see this as a problem that
tools/platforms solve. Since we are not expecting any humans
to look at the JSON stream out of TAXII, what we’ll have are tools that
allow the user to configure what they see (at least I hope we do!).
My overriding concern here
is that we discourage people from using Q&A as a substitute for sightings
– we need to be super clear about that.
From: cti-users@lists.oasis-open.org
[mailto:cti-users@lists.oasis-open.org]
On Behalf Of Terry MacDonald
Sent: Tuesday, January 10, 2017 2:41 PM
To: Jason Keirstead
Cc: cti-stix@lists.oasis-open.org; Terry MacDonald; cti-users@lists.oasis-open.org;
Paul Patrick
Subject: [cti-users] Re: [cti-stix] Re: [cti-users] Re: [cti-stix]
STIX 2.1 Proposal - STIX Question and STIX Answer
Hi Jason,
I can see your point, but I also
believe that most people in a threat intel sharing community will want
to receive as much threat intel as they can. The more information they
are able to view then the more information they are able to use in their
decision making processes.
Yes there may be some users that
may not want to see all the STIX answers and questions, but I also firmly
believe that this number is far, far less than the number of people that
will find the STIX questions and answers useful. I also believe that the
scales of STIX question and answers will be far, far lower than the number
of normal STIX assertions being made, with a ratio something like 1:100
or 1:1000.
Right now people are members of
trusted threat intel sharing groups that use mailing lists to share their
threat intel. Questions and answers are being shared right now on those
lists and 99% of those users don't complain with the questions being asked.
In my opinion the 80/20 rule applies here.
I personally think that the value
to the 99% of users who want to work together as a community to pool their
information and find more miscreants greatly outweighs the few people who
would rather not know that information as it's too many messages.
In the (unlikely) event that it
does turn out to be a problem then we can always adjust the object in the
future.
Cheers
Terry MacDonald
Cosive
On 11 Jan. 2017 2:52 am, "Jason
Keirstead" <Jason.Keirstead@ca.ibm.com>
wrote:
I may not care to see all of these questions
and responses though.
There are public threat intel portals today with hundreds of thousands
of consumers, sure to be millions in the future. We have to be able to
support this kind of scale.
I am not sure it is reasonable to expect every single entity polling a
feed to be forced to see every RFI by everyone else, if they are not interested.
I think this should use it's own TAXII mechanism, not the existing channel,
for this reason.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security|
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From:
Terry MacDonald <terry.macdonald@gmail.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: cti-stix@lists.oasis-open.org,
cti-users@lists.oasis-open.org,
Terry MacDonald <terry.macdonald@cosive.com>,
Paul Patrick <Paul.Patrick@fireeye.com>
Date: 01/09/2017
04:03 PM
Subject: [cti-stix]
Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX
Answer
Sent by: <cti-stix@lists.oasis-open.org>
Hi Jason,
I think in the scheme of things, the scale of STIX question and answers
will be ordered of magnitude lower than the actual threat intel being sent
around.
The design of the question and answer was specifically to enable recipients
to 'listen in' to the answers, so as to provide them extra Intel that they
may not have. Being able to see what responses other organisations will
in turn allow them to chip in with extra bits that they have found themselves.
This is exactly how the current threat intel sharing groups operate now
- shared encrypted mailing lists that all recipients see.
Rather than providing new point to point question and answer functionality,
we already have the ability to create a different community group for the
discussions to use. Many communities have separate mailing list for different
topics, and we have the ability to do the same with TAXII community channels.
As you know an organisation can belong to many different TAXII communities
at the same time, and all TAXII 2 implementations *should* be able to handle
that. This in turn would make it possible for a community to add a specific
question and answer community channel to their community, and allow for
delineation between those who want to see the STIX questions and STIX answers
and those who don't.
That said I firmly believe that the most power is in the widest number
of people seeing the question, and being able to provide a STIX answer.
There have been times when someone providing a seemingly useless bit of
threat intel has unlocked an investigation, and has ultimately brought
miscreants to justice. STIX question/answer will hopefully extract partial
bits of threat intel out of organisations that they may not otherwise publish
as a full assertion, and that can only be a positive thing in my book.
Cheers
Terry MacDonald
Cosive
On 10 Jan. 2017 07:39, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
wrote:
I am "intrigued in a good
way" as well - but there is a lot of stuff to figure out here.
One thing I think is missing is ability to subscribe or un-subscribe from
these queries. A TAXII server may host 1M clients. So client X issues an
RFI request and 100K other clients see it - many of whom do not want to
respond to RFI requests. But of those, 20 do - and those 20 responses again
go to 1M clients, instead of just the one who asked the question.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security|
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From: Terry
MacDonald <terry.macdonald@cosive.com>
To: Paul Patrick
<Paul.Patrick@fireeye.com>
Cc: cti-users@lists.oasis-open.org,
cti-stix@lists.oasis-open.org
Date: 12/30/2016
12:20 AM
Subject: [cti-users]
Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by: <cti-users@lists.oasis-open.org>
Intrigued in a good way? :)
On 30 Dec. 2016 2:53 am, "Paul Patrick" <Paul.Patrick@fireeye.com>
wrote:
Terry,
I’m intrigued as it seems we’re back to
looking at how to provide query capabilities in STIX/TAXII instead of just
“what someone has shared”. This is something a lot of our customers
are demanding and having to fill with our own solutions.
Paul Patrick
From: <cti-stix@lists.oasis-open.org>
on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Thursday, December 22, 2016 at 9:01 PM
To: "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>,
"cti-users@lists.oasis-open.org"
<cti-users@lists.oasis-open.org>
Subject: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Hi All,
In my discussion with colleagues,
community groups and customers, one of the question's I keep getting asked
about STIX is "Can I ask the community I'm in if anyone has information
about a particular IP address?". At present my answer is …."Well,
actually no. Not at present. You can only see what others have sent out."
This proposal outlines a way that
we could implement this functionality, allowing STIX/TAXII to support requests
for information, and responses to those requests.
Note: This initial proposal is for
community-wide requests and community-wide responses. Future enhancements
in later versions of STIX could allow for responses back to a single user
if there was enough demand for this functionality.
Cheers
Terry MacDonald| Chief Product
Officer
M:+64
211 918 814
E:terry.macdonald@cosive.com
W:www.cosive.com
This email and any attachments thereto may contain private, confidential,
and/or privileged material for the sole use of the intended recipient.
Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended
recipient, please contact the sender immediately and permanently delete
the original and any copies of this email and any attachments thereto.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]