[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] Vision Statement for TAXII
I would definitely concur with Jason here.
sean
From: <cti-taxii@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, September 17, 2015 at 11:06 AM To: "Jordan, Bret" <bret.jordan@bluecoat.com> Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John Wunder <jwunder@mitre.org>, Mark Davidson <mdavidson@mitre.org>, Patrick Maroney <Pmaroney@Specere.org>, Terry MacDonald <terry.macdonald@gmail.com> Subject: Re: [cti-taxii] Vision Statement for TAXII The only thing I will mention is this - I fully endorse the idea of TAXII doing only #2, precluding CTI query.
Pat, These are super great points. And yes, those represent the fundamental questions at hand.. Let me re-phrase: 1) Should TAXII understand and work on STIX elements and possible interact with the STIX elements directly? 2) Should TAXII just be a transport of CTI in an authenticated and secure way? Terry's proposal to the group is #2 and I started out thinking that we should do #1 but have since started leaning toward #2. With the #2 model, the idea is that in the application stack, TAXII just transmits the packages back and forth. There would be another layer in the application stack that actually did things with STIX, but that would be outside of the scope for TAXII. The vision statement we have been working on, following #2. Now if anyone things TAXII should work on, interact with, and do things directly with STIX, please speak up. But everything we have heard in the past is that we want to keep them separate. People have not wanted TAXII doing STIX stuff.. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Folks, A brief response on my argument for not constraining what types of packages TAXII can carry in our Vision Statement. Caveat: If we do ultimately decide that TAXII will act on specific atomic level elements within a STIX package beyond the Header, then it will be absolutely necessary to constrain core TAXII standard to these supported schematic representations and any extension points. However, if we determine that we are going to narrow TAXII scope to the secure inter-exchange of "packages" (and operations based on the attributes of those overall packages vs. the specific contents contained within), then there is only upside to a broader vision and capability for TAXII. This is not incongruent with supporting things like a Query Packages, STIX Profiles, etc. we exchange these standardized packages with implementation specific applications/systems. Such an approach allows us to narrowly define and focus on the core TAXII features/functions: Secure, reliable distribution of Threat Intelligence. This get's us to our core CTI objectives quicker and greatly enhances the security model (less features/functions = minimal attack surface/complexity). A standardized trusted Threat Intelligence delivery system for all Threat/Risk Domain Stakeholders improves outcomes for all. Why should we intentionally foster the requirement for creation of multiple inter-exchange standards when the potential to build a holistic ecosystem exists? Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org On Thu, Sep 17, 2015 at 5:18 AM -0700, "Davidson II, Mark S" <mdavidson@mitre.org> wrote: All, I think we are quickly approaching “rough consensus” territory on the vision, with Terry’s proposal (below) representing the group’s most recent thoughts. Let’s attempt to identify and work through any remaining open questions about the vision. Alternatively, if I’ve read the group wrong, please let me know. For me, Jane’s and Pat’s messages raised an open question: Should All-Hazards be in or out of the vision? To frame the discussion a bit, I’ll offer my opinion: To me, “out” (if that’s what we end up deciding) doesn’t mean we prohibit or preclude All-Hazards uses. At a technical level, TAXII will likely have extension mechanisms that permit uses of TAXII outside of cyber threat information communication. As an example, something could be “out” of the vision, yet specifically designed for when we consider extension mechanism(s). There is a historical example of this, where TAXII 1.x specifically includes the Common Alert Protocol (CAP) in the Content Binding Reference. When considering your response, I encourage you to review the CTI TC charter [1]; specifically, the statement of purpose. Please offer your opinions on this question, and please raise any remaining open questions you might have. In a separate email, I will discuss possible next steps for the group. Thank you. -Mark [1] https://www.oasis-open.org/committees/cti/charter.php
Sent: Tuesday, September 15, 2015 6:13 PM To: Bret Jordan <bret.jordan@bluecoat.com> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Davidson II, Mark S <mdavidson@mitre.org>; Wunder, John A. <jwunder@mitre.org>; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Vision Statement for TAXII I agree with Bret. TAXII needs to have the ability to authenticate both the sender and recipient of that information, and the ability to restrict that threat information from inspection during transmission. And I also agree with the fact that we can't guarantee that either party are trustworthy, so maybe the phrase needs to include the word authenticated instead? E.g.
Comments? Cheers
Wow we sure are eliminating a lot :) Seems reasonable. A few thoughts: - do we really need “between people and systems”? Doesn’t really add much IMO. - Agree w/ Jason and Aharon that “sharing” is not the right word and is full of connotations. “communication” seems better and more clinical to me. - I don’t really love “speeds the sharing of”…does it really speed it? What does that mean? So with all that in mind, I’ll propose one more revision: TAXII is an open protocol for the communication of cyber threat information. Focusing on simplicity and scalability, TAXII enables trusted and secure communication of cyber threat information across products and organizations. Two open questions: - “information” vs. “intelligence” — we are in the “Cyber Threat Intelligence” TC, not the “Cyber Threat Information” TC. Should we replace “information” with “intelligence”? - Debatably you could remove the “of cyber threat information” from the second sentence, it’s a little redundant. I like it because it makes each sentence stand on its own, but can definitely see the argument for trimming it. John From: Mark Davidson Date: Tuesday, September 15, 2015 at 12:57 PM To: "Wunder, John A.", "'cti-taxii@lists.oasis-open.org'" Subject: RE: [cti-taxii] RE: Vision Statement for TAXII I’d like to attempt to summarize the various comments and discussion so far, represented as an updated proposal:
I modified some language to my own personal liking. If my language is worse, we can revert it. Here’s the list of modifications:
· cyber threat intelligence -> cyber threat information (reason: information is broader than intelligence) · simple and reusable concepts -> simplicity and scalability (reason: I pulled simplicity/scalability from our SC kickoff slide deck) · reduces the friction of sharing -> speeds sharing (reason: My preference is to frame it as a positive vs. as removing a negative) My one criticism of the current form is that both sentences end in “sharing of cyber threat information across/between <list>”. I’d also like to identify the calls for more definition around what TAXII is and is not – I’d like to offer that we discuss that as something of a scoping statement, separate from the vision statement. Thoughts? Thank you all for participating in the discussion – I think we’re closing in on something we can all generally agree on, and all of your inputs have been valuable. Thank you. -Mark
Sent: Tuesday, September 15, 2015 11:28 AM To: 'cti-taxii@lists.oasis-open.org' <cti-taxii@lists.oasis-open.org> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII Just spitballing here: TAXII is an open protocol that enables rapid, secure, and trusted sharing of cyber threat intelligence between people and systems. With a focus on simple and reusable concepts, TAXII reduces the friction of sharing cyber threat intelligence among disparate tools, organizations, and ecosystems [without prescribing specific trust agreements, governance, or sharing policies]. I’d go either way on the section in the brackets…do people often misunderstand and think that TAXII prescribes trust agreements, governance, sharing policies, etc? If so, maybe include it. Otherwise it’s extraneous and could even sound defensive. John From: <cti-taxii@lists.oasis-open.org> on behalf of "Richard.Struse@HQ.DHS.GOV" Date: Tuesday, September 15, 2015 at 10:58 AM To: "'cti-taxii@lists.oasis-open.org'" Subject: Re: [cti-taxii] RE: Vision Statement for TAXII The original paragraphs were clearly too verbose and lacked punch. However, the proposed language seems somehow too vague and does read like ad copy. I'm also not thrilled with talking about TAXII as a "technology". While I think we all know what is meant by that, others might infer that TAXII is a specific thing when it is in fact a series of specifications. I'd urge us to consider making it clear what TAXII is. The original paragraph did that well. From: Eric Burger [mailto:Eric.Burger@georgetown.edu] Sent: Tuesday, September 15, 2015 09:22 AM Eastern Standard Time To: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> Subject: Re: [cti-taxii] RE: Vision Statement for TAXII Looks like it was written by a Mad Men copy writer. Does it say anything? Sent from my mobile device. Thanks be to LEMONADE:
http://www.standardstrack.com/ietf/lemonade
What do you think? Should we keep the old one? Is the new one better? Would you like to offer a different proposal for consideration? In an effort to cajole responses out of this subcommittee: I’ll offer to take your silence as complete support of the proposed vision statement and that you have nothing but effusive praise for it. (I’m kidding – but please share your thoughts!). Let the SC know what you think! Thank you. -Mark
Sent: Friday, September 11, 2015 8:42 AM To: cti-taxii@lists.oasis-open.org Subject: [cti-taxii] Vision Statement for TAXII Team, During our last call we had a good conversation about the need to establish some top level elements for this subcommittee, these include things like vision, scope, and purpose. We would like to propose the following vision/purpose statement for your review. "TAXII is a threat sharing technology that enables rapid, secure, and trusted communications between people and systems through simple, powerful, and reusable concepts. TAXII users have faster response times, better ROI, and more effective cyber defenses." Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]