Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Agree Dave; this is the point I was making.
Whenever dealing with markings, the sender and reciever have to have some
level of trust and understanding of what the reciever is actually going
to do with the marking. This isn't something we can solve in STIX, unless
IEP becomes much more complicated than it currently is.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Dave Cridland <dave.cridland@surevine.com>
To:      
 Mark Davidson <Mark.Davidson@nc4.com>
Cc:      
 Jason Keirstead <Jason.Keirstead@ca.ibm.com>,
John-Mark Gurney <jmg@newcontext.com>, Allan Thomson <athomson@lookingglasscyber.com>,
Bret Jordan <Bret_Jordan@symantec.com>, "cti-cybox@lists.oasis-open.org"
<cti-cybox@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>, "Back, Greg" <gback@mitre.org>,
Terry MacDonald <terry.macdonald@cosive.com>
Date:      
 08/18/2017 12:19 PM
Subject:    
   Re: [cti-stix]
Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox]
Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August
8 Working Call
Sent by:    
   <cti-stix@lists.oasis-open.org>

---

On 18 August 2017 at 13:52, Mark Davidson <Mark.Davidson@nc4.com>
wrote:
Responding to Dave’s point:

> But even just a simple binary switch on *sending* IEP-marked data seems more sensible than relying on the receiver to filter out thing they shouldn't have received in the first place.

 

This is feasible from an ACL perspective, but not from a software capability perspective. As a sender of information, I know which user accounts have which permissions, and can control access accordingly. I have no way of knowing if the receiving software will honor the IEP markings, unless it is mandated in the spec. Maybe we are talking about the same thing. I agree with only sending marked data to those who have permission to get it. However, how will I know if the person/org with permission has _software_ that’s capable of processing what I’m sending? I know of two ways – content negotiation and rules in the spec.

Well, certainly signalling that the software is capable of understanding IEP at all is useful; however it's merely changing the clearance of the receiver.

For IEP, you obviously don't want to transmit the data unencrypted if the IEP indicates it must be encrypted, but a receiver might understand IEP but be incapable of storing the data encrypted at rest - you're then reliant on the receiver being honest when it receives data which stipulates that. Again, this becomes a trust (and therefore clearance) issue - do you trust the receiver to honour that bit in the IEP? Should you really be sending data to the receiver if it cannot store it properly in the first place?

Dave.
--

Dave Cridland

phone  +448454681066
email  dave.cridland@surevine.com
skype  dave.cridland.surevine

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.