OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Vision Statement for TAXII


I agree with Bret. TAXII needs to have the ability to authenticate both the sender and recipient of that information, and the ability to restrict that threat information from inspection during transmission.

And I also agree with the fact that we can't guarantee that either party are trustworthy, so maybe the phrase needs to include the word authenticated instead?

E.g.

TAXII is an open protocol for the communication of cyber threat information. Focusing on simplicity and scalability, TAXII enables authenticated and secure communication of cyber threat information across products and organizations.

Cheers
Terry MacDonald

> On 16 Sep 2015 5:08 am, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:
>>
>> Really good points Jason. Thanks for bringing them up.  And thanks to everyone for your comments thus far.  Please keep contributing and commenting.
>>
>> I think TAXII needs to have authentication and needs to have end-to-end encryption.  But I do not think we can determine if someone is trustworthy.  About all we can do is hopefully guarantee that the person we are talking with or the device we are talking with, is in fact the person/device in question.  So maybe we reduce the phrase to be just "secure" 
>>
>>
>> Thanks,
>>
>> Bret
>>
>>
>>
>> Bret Jordan CISSP
>> Director of Security Architecture and Standards | Office of the CTO
>> Blue Coat Systems
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
>>
>>> On Sep 15, 2015, at 12:48, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
>>>
>>> Wow we sure are eliminating a lot :)
>>>
>>> I have another candidate I want to call attention to:
>>>
>>> trusted and secure
>>>
>>> I know it is early in the TAXII protocol discussion, but want to make sure everyone is paying attention here, because it implies a lot of things for TAXII - some of which, don't align with some ideas on the ML and on the Slack channel.
>>>
>>> Namely - you can't have trust without a notion of authorization and access control, and also a way to validate that the second party is trustworthy in the first place. And you can't have security without encryption. So this statement to me implies that we are going to be baking in authorization, access control, external validation, and required encryption into TAXII.
>>>
>>> I am not saying it's a bad thing - in fact I think it is very important! - but want to make sure I called it out. Currently TAXII 1.X does not do any of this at all (and doesn't actually have this in it's mission statement either).
>>>
>>>
>>> -
>>> Jason Keirstead
>>> Product Architect, Security Intelligence, IBM Security Systems
>>> www.ibm.com/security | www.securityintelligence.com
>>>
>>> Without data, all you are is just another person with an opinion - Unknown
>>>
>>>
>>> <graycol.gif>"Wunder, John A." ---2015/09/15 03:40:43 PM---Seems reasonable. A few thoughts: - do we really need “between people and systems”? Doesn’t really a
>>>
>>> From: "Wunder, John A." <jwunder@mitre.org>
>>> To: "Davidson II, Mark S" <mdavidson@mitre.org>, "'cti-taxii@lists.oasis-open.org'" <cti-taxii@lists.oasis-open.org>
>>> Date: 2015/09/15 03:40 PM
>>> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII
>>> Sent by: <cti-taxii@lists.oasis-open.org>
>>>
>>> ________________________________
>>>
>>>
>>>
>>> Seems reasonable. A few thoughts:
>>>
>>> - do we really need “between people and systems”? Doesn’t really add much IMO.
>>> - Agree w/ Jason and Aharon that “sharing” is not the right word and is full of connotations. “communication” seems better and more clinical to me.
>>> - I don’t really love “speeds the sharing of”…does it really speed it? What does that mean?
>>>
>>> So with all that in mind, I’ll propose one more revision:
>>>
>>> TAXII is an open protocol for the communication of cyber threat information. Focusing on simplicity and scalability, TAXII enables trusted and secure communication of cyber threat information across products and organizations.
>>>
>>> Two open questions:
>>>
>>> - “information” vs. “intelligence” — we are in the “Cyber Threat Intelligence” TC, not the “Cyber Threat Information” TC. Should we replace “information” with “intelligence”?
>>> - Debatably you could remove the “of cyber threat information” from the second sentence, it’s a little redundant. I like it because it makes each sentence stand on its own, but can definitely see the argument for trimming it.
>>>
>>> John
>>>
>>> From: Mark Davidson
>>> Date: Tuesday, September 15, 2015 at 12:57 PM
>>> To: "Wunder, John A.", "'cti-taxii@lists.oasis-open.org'"
>>> Subject: RE: [cti-taxii] RE: Vision Statement for TAXII
>>>
>>> I’d like to attempt to summarize the various comments and discussion so far, represented as an updated proposal:
>>> TAXII is an open protocol that enables rapid and secure sharing of cyber threat information between people and systems. With a focus on simplicity and scalability TAXII speeds the sharing of cyber threat information across tools, products, and organizations.
>>>
>>> I modified some language to my own personal liking. If my language is worse, we can revert it. Here’s the list of modifications:
>>> · rapid, secure, and trusted -> rapid and secure (reason: easier to remember/say)
>>> · cyber threat intelligence -> cyber threat information (reason: information is broader than intelligence)
>>> · simple and reusable concepts -> simplicity and scalability (reason: I pulled simplicity/scalability from our SC kickoff slide deck)
>>> · reduces the friction of sharing -> speeds sharing (reason: My preference is to frame it as a positive vs. as removing a negative)
>>>
>>> My one criticism of the current form is that both sentences end in “sharing of cyber threat information across/between <list>”.
>>>
>>> I’d also like to identify the calls for more definition around what TAXII is and is not – I’d like to offer that we discuss that as something of a scoping statement, separate from the vision statement. Thoughts?
>>>
>>> Thank you all for participating in the discussion – I think we’re closing in on something we can all generally agree on, and all of your inputs have been valuable.
>>>
>>> Thank you.
>>> -Mark
>>>
>>> From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Wunder, John A.
>>> Sent: Tuesday, September 15, 2015 11:28 AM
>>> To: 'cti-taxii@lists.oasis-open.org' <cti-taxii@lists.oasis-open.org>
>>> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII
>>>
>>> Just spitballing here:
>>>
>>> TAXII is an open protocol that enables rapid, secure, and trusted sharing of cyber threat intelligence between people and systems. With a focus on simple and reusable concepts, TAXII reduces the friction of sharing cyber threat intelligence among disparate tools, organizations, and ecosystems [without prescribing specific trust agreements, governance, or sharing policies].
>>>
>>> I’d go either way on the section in the brackets…do people often misunderstand and think that TAXII prescribes trust agreements, governance, sharing policies, etc? If so, maybe include it. Otherwise it’s extraneous and could even sound defensive.
>>>
>>> John
>>>
>>> From: <cti-taxii@lists.oasis-open.org> on behalf of "Richard.Struse@HQ.DHS.GOV"
>>> Date: Tuesday, September 15, 2015 at 10:58 AM
>>> To: "'cti-taxii@lists.oasis-open.org'"
>>> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII
>>>
>>> The original paragraphs were clearly too verbose and lacked punch. However, the proposed language seems somehow too vague and does read like ad copy.
>>>
>>> I'm also not thrilled with talking about TAXII as a "technology". While I think we all know what is meant by that, others might infer that TAXII is a specific thing when it is in fact a series of specifications. I'd urge us to consider making it clear what TAXII is. The original paragraph did that well.
>>>
>>> From: Eric Burger [mailto:Eric.Burger@georgetown.edu]
>>> Sent: Tuesday, September 15, 2015 09:22 AM Eastern Standard Time
>>> To: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org>
>>> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII
>>>
>>> Looks like it was written by a Mad Men copy writer. Does it say anything?
>>>
>>> Sent from my mobile device. Thanks be to LEMONADE: http://www.standardstrack.com/ietf/lemonade
>>> S2ERC: http://s2erc.georgetown.edu/
>>> GCSC: http://gcsc.georgetown.edu/
>>> Me: http://www.cs.georgetown.edu/~ eburger
>>> On Sep 14, 2015 12:06 PM, "Davidson II, Mark S" <mdavidson@mitre.org> wrote:
>>> All,
>>>
>>> The statement Bret shared below is intended to be the kind of statement that we can make future decisions around. When a contentious issue comes up, one factor will be how well various options match the vision statement.
>>>
>>> When people write articles about TAXII, they are going to use our vision statement – this is our opportunity to get the first word into many TAXII discussions. Having a good vision statement is important.
>>>
>>> For comparison, the equivalent text for TAXII 1.0 and TAXII 1.1 was:
>>>
>>> TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines services, protocols and messages to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. TAXII is not an information sharing initiative or application and does not attempt to define trust agreements, governance, or non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, and enables organizations to easily share the information they choose with the partners they choose all while using a single, common, set of tools.
>>>
>>> What do you think? Should we keep the old one? Is the new one better? Would you like to offer a different proposal for consideration?
>>>
>>> In an effort to cajole responses out of this subcommittee: I’ll offer to take your silence as complete support of the proposed vision statement and that you have nothing but effusive praise for it. (I’m kidding – but please share your thoughts!).
>>>
>>> Let the SC know what you think!
>>>
>>> Thank you.
>>> -Mark
>>> From:cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Jordan, Bret
>>> Sent: Friday, September 11, 2015 8:42 AM
>>> To: cti-taxii@lists.oasis-open.org
>>> Subject: [cti-taxii] Vision Statement for TAXII
>>>
>>> Team,
>>>
>>> During our last call we had a good conversation about the need to establish some top level elements for this subcommittee, these include things like vision, scope, and purpose. We would like to propose the following vision/purpose statement for your review.
>>>
>>> "TAXII is a threat sharing technology that enables rapid, secure, and trusted communications between people and systems through simple, powerful, and reusable concepts. TAXII users have faster response times, better ROI, and more effective cyber defenses."
>>>
>>> Thanks,
>>>
>>> Bret
>>>
>>>
>>>
>>> Bret Jordan CISSP
>>> Director of Security Architecture and Standards | Office of the CTO
>>> Blue Coat Systems
>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>>>
>>>
>>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]