OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Re: STIX 2.1: Adding IEP Framework to STIX 2.1


I have no objections, assuming there are multiple organizations/groups/TC members who expect they would use such a feature in STIX.

 

I’ll admit that I haven’t looked closely at the proposal, but I want to make sure we clear the bar of “a non-negligible fraction of people using STIX would use IEP markings” before considering making it a part of STIX (vs. a “recommended extension”).

 

Based on what I’ve seen, IEP looks extremely promising if it gains widespread adoption. From a serialization/deserialization standpoint, supporting IEP should be simple; my only concern would be the impact on products that actually need to act on these policies.

 

Based on a quick skim, the proposal looks well-written and reasonable. Thanks, Terry!

 

Greg

 

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Monday, May 1, 2017 at 8:00 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "iep-sig@first.org" <iep-sig@first.org>
Subject: [cti-stix] Re: STIX 2.1: Adding IEP Framework to STIX 2.1

 

Hi All,

 

Just checking with everyone to see their thoughts on the suggestion to add IEP v2 to STIX 2.1. Does anyone at all have any objections to this being an additional method for producers to describe in greater detail what consumers can do with the data? People could still use TLP if they wished (although IEP includes TLP and a lot more besides).


Cheers

 

Terry MacDonald | Chief Product Officer

 

 

 

 

 

 

On Sun, Apr 30, 2017 at 9:22 AM, Terry MacDonald <terry.macdonald@cosive.com> wrote:

Hi All,

 

I've got an update on the FIRST Information Exchange Policy (IEP) Framework work currently being done within the FIRST IEP-SIG. 

 

For those of you who have never heard of IEP, it is a JSON based way for threat intel producers to inform recipients of how they are allowed to use the data threat intel they receive. It extends the Traffic Light Protocol (TLP) to fill a lot of the gaps, removing ambiguity when sharing information..

 

IEP version 2.0 differs from IEP version 1.0 in that it now allows threat intel to reference remote IEP policies. This allows communities to create a network accessible IEPJ file, and all threat intel to just reference that url. We plan on drafting some standard IEP policies to help kick start the process off. 

 

You can view more about the draft IEP Framework documents in the attached documentation:

  • FIRST_IEP_Framework_2_20170418.pdf describes the IEP Framework at a high level
  • FIRST_IEP_2_JSON_20170104.pdf describes the JSON implementation of the IEP Framework.

We know that IEP would provide a lot of value to STIX 2.1, as it would clear up a lot of the confusion that recipients have regarding how they can use they data they receive. For this reason, we have created a draft STIX Data Marking object specifically for IEP, and we submit this to the community for inclusion in STIX 2.1.  STIX2.1Proposal-InformationExchangePolicyMarkingObjectType.pdf describes our proposal in greater depth.

 

Cheers

 

Terry MacDonald | Chief Product Officer

 

 

 

 

 

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]