OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer


Terry I think you bring up a good point here.  There is a difference between the community pull a feed from a vendor, and truly community to community discussions that do not have any vendor in the mix.  All in all, I still think this should be done via TAXII.


Bret


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@gmail.com>
Sent: Tuesday, January 10, 2017 12:41:20 PM
To: Jason Keirstead
Cc: cti-stix@lists.oasis-open.org; Terry MacDonald; cti-users@lists.oasis-open.org; Paul Patrick
Subject: Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
 
Hi Jason, 

I can see your point, but I also believe that most people in a threat intel sharing community will want to receive as much threat intel as they can. The more information they are able to view then the more information they are able to use in their decision making processes.

Yes there may be some users that may not want to see all the STIX answers and questions, but I also firmly believe that this number is far, far less than the number of people that will find the STIX questions and answers useful. I also believe that the scales of STIX question and answers will be far, far lower than the number of normal STIX assertions being made, with a ratio something like 1:100 or 1:1000.

Right now people are members of trusted threat intel sharing groups that use mailing lists to share their threat intel. Questions and answers are being shared right now on those lists and 99% of those users don't complain with the questions being asked. In my opinion the 80/20 rule applies here.

I personally think that the value to the 99% of users who want to work together as a community to pool their information and find more miscreants greatly outweighs the few people who would rather not know that information as it's too many messages. 

In the (unlikely) event that it does turn out to be a problem then we can always adjust the object in the future. 

Cheers 
Terry MacDonald 
Cosive


On 11 Jan. 2017 2:52 am, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
I may not care to see all of these questions and responses though.

There are public threat intel portals today with hundreds of thousands of consumers, sure to be millions in the future. We have to be able to support this kind of scale.

I am not sure it is reasonable to expect every single entity polling a feed to be forced to see every RFI by everyone else, if they are not interested. I think this should use it's own TAXII mechanism, not the existing channel, for this reason.


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From:        Terry MacDonald <terry.macdonald@gmail.com>
To:        Jason Keirstead/CanEast/IBM@IBMCA
Cc:        cti-stix@lists.oasis-open.org, cti-users@lists.oasis-open.org, Terry MacDonald <terry.macdonald@cosive.com>, Paul Patrick <Paul.Patrick@fireeye.com>
Date:        01/09/2017 04:03 PM
Subject:        [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by:        <cti-stix@lists.oasis-open.org>




Hi Jason, 

I think in the scheme of things, the scale of STIX question and answers will be ordered of magnitude lower than the actual threat intel being sent around.

The design of the question and answer was specifically to enable recipients to 'listen in' to the answers, so as to provide them extra Intel that they may not have. Being able to see what responses other organisations will in turn allow them to chip in with extra bits that they have found themselves. This is exactly how the current threat intel sharing groups operate now - shared encrypted mailing lists that all recipients see. 

Rather than providing new point to point question and answer functionality, we already have the ability to create a different community group for the discussions to use. Many communities have separate mailing list for different topics, and we have the ability to do the same with TAXII community channels. 

As you know an organisation can belong to many different TAXII communities at the same time, and all TAXII 2 implementations *should* be able to handle that. This in turn would make it possible for a community to add a specific question and answer community channel to their community, and allow for delineation between those who want to see the STIX questions and STIX answers and those who don't. 

That said I firmly believe that the most power is in the widest number of people seeing the question, and being able to provide a STIX answer. There have been times when someone providing a seemingly useless bit of threat intel has unlocked an investigation, and has ultimately brought miscreants to justice. STIX question/answer will hopefully extract partial bits of threat intel out of organisations that they may not otherwise publish as a full assertion, and that can only be a positive thing in my book. 

Cheers
Terry MacDonald 
Cosive

On 10 Jan. 2017 07:39, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
I am "intrigued in a good way" as well - but there is a lot of stuff to figure out here.

One thing I think is missing is ability to subscribe or un-subscribe from these queries. A TAXII server may host 1M clients. So client X issues an RFI request and 100K other clients see it - many of whom do not want to respond to RFI requests. But of those, 20 do - and those 20 responses again go to 1M clients, instead of just the one who asked the question.



-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown





From:        
Terry MacDonald <terry.macdonald@cosive.com>
To:        
Paul Patrick <Paul.Patrick@fireeye.com>
Cc:        
cti-users@lists.oasis-open.org, cti-stix@lists.oasis-open.org
Date:        
12/30/2016 12:20 AM
Subject:        
[cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by:        
<cti-users@lists.oasis-open.org>





Intrigued in a good way? :)

On 30 Dec. 2016 2:53 am, "Paul Patrick" <
Paul.Patrick@fireeye.com> wrote:
Terry,

 

I’m intrigued as it seems we’re back to looking at how to provide query capabilities in STIX/TAXII instead of just “what someone has shared”.  This is something a lot of our customers are demanding and having to fill with our own solutions.

 

 

Paul Patrick

 

 

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date:
Thursday, December 22, 2016 at 9:01 PM
To:
"
cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject:
[cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer

 

Hi All,

 

In my discussion with colleagues, community groups and customers, one of the question's I keep getting asked about STIX is "Can I ask the community I'm in if anyone has information about a particular IP address?". At present my answer is …."Well, actually no. Not at present. You can only see what others have sent out."

 

This proposal outlines a way that we could implement this functionality, allowing STIX/TAXII to support requests for information, and responses to those requests.

 

Note: This initial proposal is for community-wide requests and community-wide responses. Future enhancements in later versions of STIX could allow for responses back to a single user if there was enough demand for this functionality.

 

Cheers

 

Terry MacDonald | Chief Product Officer

 

 

M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com

 

 

 
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]