[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX COA Roadmap
|
There are many reasons why having intelligence and COA work together in a coordinated manner makes sense.
Whether that requires 1 spec or 2 specs in my opinion is focusing on the wrong issue right now.
We should be focused on solving the problems that tying intelligence and COA together solves. If we then need 2 specs to better organize and define that work it will be become obvious as part of the process.
I agree with Jyoti that we should spend some time discussing the COA/Intel topic at the F2F. Allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Jyoti Verma (jyoverma)" <jyoverma@cisco.com> Hi John, I don’t know how to comment on this but from my point of view COA fits well within the STIX ecosystem. It ties the rich threat intelligence to response. If it were to become a separate spec, then soon we would
be talking about a liaison between the two. I agree scope wise it is broad and that’s why we created the roadmap to span across releases. This would be an excellent topic of discussion during the F2F. Thanks, Jyoti Technical Leader, CTO office Security Business Group, Cisco Systems Inc. From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> I want to state my opinion carefully, because I feel like it would be easy to misinterpret it. First, I think the direction these capabilities are going in makes sense. It provides a logical stepping stone from more basic stuff to more complicated stuff. I also think these capabilities are important
tied to the STIX ecosystem. Where I have concerns is that there is a lot of functionality described here. I can see it growing to be even longer than the Patterning document. It also is different in tone than the rest of STIX, which
mostly describes a data model vs. functional capabilities (exception being patterning). Lastly, what’s described here for COA may be useful outside of the realm of threat intelligence (thinking vulnerability and configuration management in particular), so
I think scope-wise it’s broader than STIX. For all those reasons, I don’t think this should be treated as capabilities that are added directly to STIX. Instead, I think it should be published as a separate specification (work product) that we pull
in to STIX and reference appropriately. We talked about at some point doing the same to Patterning, but because it was fairly lightweight we didn’t. If we were just talking Phase 1 here I would probably feel the same, but seeing where this is headed I think
it’s better to preemptively assume that will be the case. If others agree w/ this approach we can figure out how organizationally to tackle it (assign editors, etc.) John From: <cti-stix@lists.oasis-open.org> on behalf of "Jyoti Verma (jyoverma)" <jyoverma@cisco.com> CTI TC, The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave
a readout on the Sept 19th working call and the slides we presented are here –
https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap
and use cases can be found in the working draft here -
https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.
If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack. Thanks, STIX COA mini group |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]