In the public sharing use case, there are a set of knows and unknown that we need to discuss and investigate. For the intra eco-system / vertical I think we have a better understanding of our confidence in certain things. Due to politics and legal requirements
public sharing may not have the same amount of detail as one might find inside an eco-system boundary.
Bret
Sent from my Commodore 64
One challenge with +/- on observables is context. A 'known' bad IP for retail may be irrelevant to finance, because the reason it's 'bad' retail targeted malware source, whatever.
+/- on observables (industry targeted malware site, regional campaign, etc. ) may be useful if provided in the context of industry/geography, etc - but by itself?
Cheers!
~r
ron.williams@us.ibm.com | stsm, ibm master inventor | principal architect, x-force exchange | divisional idt lead | ibm | mobile +1.512.633.7711 | ofc +1.720.349.2236
"It is much less dangerous to think like a man of action, than to act like a man of thought." - Nicholas Nassim Taleb
<graycol.gif>Jason Keirstead---07/22/2015 11:42:37---Do you forsee the +/- existing at the Indicator/Observable level, or at the CybOX marking level? IE
From: Jason Keirstead/CanEast/IBM
To: Terry MacDonald <terry.macdonald@threatloop.com>
Cc: "Davidson II, Mark S" <mdavidson@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-taxii@lists.oasis-open.org"
<cti-taxii@lists.oasis-open.org>, Ron Williams <Ron.Williams@us.ibm.com>
Date: 07/22/2015 11:42
Subject: Re: [cti-taxii] TAXII Use Cases
Do you forsee the +/- existing at the Indicator/Observable level, or at the CybOX marking level?
IE can I disagree with only part of an indicator? Or do I have to disagree with the whole thing?
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif> Terry MacDonald ---2015/07/21 08:33:22 PM---I'd like to add some additional entries to Mark's Use Cases list: - Sending only the part of an obje
From: Terry MacDonald <terry.macdonald@threatloop.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Davidson II, Mark S" <mdavidson@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-taxii@lists.oasis-open.org"
<cti-taxii@lists.oasis-open.org>, Ron Williams <Ron.Williams@us.ibm.com>
Date: 2015/07/21 08:33 PM
Subject: Re: [cti-taxii] TAXII Use Cases
Sent by: <cti-taxii@lists.oasis-open.org>
I'd like to add some additional entries to Mark's Use Cases list:
- Sending only the part of an object that has changed (increased efficiency)
- Sending just an agreement or disagreement with another organisation's assertion of a relationship (i.e. [+1] or [-1])
- Sending just an agreement or disagreement with another organisation's data in an object i.e. [+1] or [-1])
Cheers
Terry MacDonald | STIX, TAXII, CybOX Consultant
M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com
Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.
On 21 July 2015 at 03:38, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
- One thing I would add to the drawing - Organization 2 also talking to the Threat Exchange.
- RE Storing - One "why" I could give for storage is for resiliency. Without storage of messages on the TAXIi server, if I ever do not have a connection to the server when an important sighting or indicator is shared, I will never receive that message. IE,
one can not assume that all consumers are "live".
- RE Querying - The "why" here hinges on who we would rather be the logical owner of the database of record of threat data, the server or the client. If you want to have a centralized database of record, then the client should be able to query that database.
If there is no querying in the protocol and the sever in fact has no database of record (and is simply assumed to be a broker), then client systems will have to build up a copy of the database of record and query it locally instead. In a way this decision
is analogous to if you want to do distributed or centralized source control.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>"Davidson II, Mark S" ---2015/07/20 02:26:03 PM---Jason, Thank you for posting this. I'd like to highlight one of your paragraphs, as I see it as prob
From: "Davidson II, Mark S" <mdavidson@mitre.org>
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, Jason Keirstead/CanEast/IBM@IBMCA
Cc: Ron Williams <Ron.Williams@us.ibm.com>, "cti-taxii@lists.oasis-open.org"
<cti-taxii@lists.oasis-open.org>
Date: 2015/07/20 02:26 PM
Subject: RE: [cti-taxii] TAXII Use Cases
Jason,
Thank you for posting this. I’d like to highlight one of your paragraphs, as I see it as probably the most important perspective this group should have:
> When considering development of TAXII 2.0, I feel like this is an opportunity to do things well, and in order to do that, we need to get back to root principals. What are the things TAXII wants to do, what is
it trying to solve? Only when your end goal is understood in a clear and concise way can one hope to create a standard that enables that goal.
With that, I’ll hit on some other points from the thread.
# Architecture
This is a bit of a tangent, and forgive the ugliness, but I’ve attempted to draw the architecture Jason described (perhaps with my own un-noticed biases). I used PlantUML[1] (Note: SourceForge is currently down), and I’ve attached my source file in case anyone
is interested. I find PlantUML to be pretty useful for quickly whiteboarding ideas.
Notional Architecture:
# Use Cases
Focusing on back on use cases (the subject of this thread), I think what we have is a good starting point, and eventually we’ll need to increase the level of abstraction for the use cases offered so far. Fortunately, there is a very easy process for raising
a use-case’s level of abstraction: Ask Why. Ask why until the use case is sufficiently high level.
I’ll pick on the use case of: “storing messages and allowing querying”. I personally – with the information provided – do not have enough information to determine whether I think message storage/query is something that TAXII 2.0 should support. So I’ll ask
why.
Why do we need storage and query? I’ll note that this is not Bret’s question alone to answer – anyone who has any answer should feel compelled to
provide it. Multiple answers will provide a greater selection of use cases and perspectives.
I’ll also note that this message is meant to encourage contribution of all use cases, no matter how high or low level. It’s an easy and useful process to turn a low-level use case into a high-level use case. It’s easy because we just ask “why?”; it’s useful
because we might get unanticipated answers that help make TAXII better (e.g., I won’t know what you’re thinking if you don’t say it). More use cases are always better than less use cases, because more use cases gives you more to work with. So please do not
hesitate to offer your thoughts on use cases.
As for my own contribution of use cases, I’ll offer these:
· Send an Indicator
· Send a Sighting
I think many of you who have read this far will be asking: “Why?”
Thank you.
-Mark
[1] http://plantuml.sourceforge.net/
|