Re: [cti-taxii] The need (or no need) for TAXII to support Query

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Hi Ron; I think where we're deviating here is this statement:

"... it would be a service attached to STIX, which is what TAXII is."

We're trying very hard to not bind TAXII to STIX, hence this discussion about splitting QUERY off as a separate work product.

Having QUERY as part of TAXII core would imply a lot of things - not the least of which is that all producers of CTI also must act as a CTI repository, which is simply not the case. That's why we are trying to be very deliberate here and separate QUERY from the core of TAXII, which is the live or near-live transmission of intelligence.


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Ron Williams" ---2015/10/19 01:48:55 PM---I disagree. STIX is an information format - TAXII is the service that (may) deliver(s) it. A Query S

From: "Ron Williams" <Ron.Williams@us.ibm.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry.macdonald@threatloop.com>, "Davidson II, Mark S" <mdavidson@mitre.org>, Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/10/19 01:48 PM
Subject: Re: [cti-taxii] The need (or no need) for TAXII to support Query
Sent by: <cti-taxii@lists.oasis-open.org>

---

I disagree. STIX is an information format - TAXII is the service that (may) deliver(s) it. A Query Service should be part of the transport, not the data format. It's the natural place for it to exist. Adding a Query Service to STIX wouldn't be STIX, it would be a service attached to STIX, which is what TAXII is.

Cheers!

~r 

ron.williams@us.ibm.com | stsm, ibm master inventor | chief architect, infrastructure protection | divisional idt lead | ibm | mobile +1.512.633.7711 | ofc +1.720.349.2236
羅恩·威廉姆斯 | 首席架構師基礎設施保護 | IBM安全 
"It is much less dangerous to think like a man of action, than to act like a man of thought." - Nicholas Nassim Taleb

"Jason Keirstead" ---10/19/2015 13:17:47---Agree 100% with your vision Terry and I think you expressed the argument better than I.

From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
To: Terry MacDonald <terry.macdonald@threatloop.com>
Cc: "Davidson II, Mark S" <mdavidson@mitre.org>, Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 10/19/2015 13:17
Subject: Re: [cti-taxii] The need (or no need) for TAXII to support Query
Sent by: <cti-taxii@lists.oasis-open.org>

---

Agree 100% with your vision Terry and I think you expressed the argument better than I.

Now my question is, how to make it a reality :) IE, if STIX is responsible for answering QUERY messages, how does this work... 

Presumably, if TAXII 2.0 was a REST service, then you would want QUERY 2.0 to be a REST service as well so that servers who have TAXII can also run a QUERY endpoint on the same port.

So that is feasible, but the question is, how do we come up with the specification for this service. Is this something for the STIX SC? Or a "QUERY" SC?

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Terry MacDonald ---2015/10/17 01:22:25 AM---Hi All, Just splitting this out into its own thread so we can all keep track :)

From: Terry MacDonald <terry.macdonald@threatloop.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Davidson II, Mark S" <mdavidson@mitre.org>, Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/10/17 01:22 AM
Subject: [cti-taxii] The need (or no need) for TAXII to support Query
Sent by: <cti-taxii@lists.oasis-open.org>

---

Hi All,

Just splitting this out into its own thread so we can all keep track :)

I half agree with Jason :). I think Query is outside of the scope of TAXII, but I also think it is the responsbility of each carried protocol to provide its own query and response functionality if it requires it.

To me TAXII has the express purpose of enabling the sharing of CTI data (over a channel). To me that means that TAXII is only worried about:

- ensuring everyone allowed to see the CTI data channel sees it
- allowing people to request access to the CTI data channel
- allowing channel owners to allow access to the CTI data channel

TAXII should effectively treat the information carried within TAXII as a 'black box' from the TAXII perspective. As an example, if a TAXII channel is carrying STIX data, then it should be the responsibility of STIX to ask queries for STIX data. Similarly, if in the future TAXII carries VERIS classification data, then it should be the responsibility of VERIS to ask queries for VERIS data. TAXII should just ensure that the data gets to where it should go, and that only those who are allowed to see it, receive it. (And that it is marked to contain either STIX or VERIS data so the receiving TAXII process knows which process to hand the carried data to.

Loosely coupling TAXII from the data it carries gives us future flexibility for what TAXII can carry. Tightly coupling TAXII by enforcing support for STIX querying restricts this flexibility, and ensures that when new version of STIX is released we will need to release a new version of TAXII query to support it. And then restricts the ability for us to add new protocols to be carried by TAXII (e.g. VERIS) as new TAXII query releases would be required there too.

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com



Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My opinions do not necessarily reflect those of Threatloop.com.