[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] The need (or no need) for TAXII to support Query
On 19.10.2015 12:43:14, Davidson II, Mark S wrote: > > One of the primary challenges for TAXII query was the inability to > tightly bind the query model to a specific version of STIX. This > resulted in the Targeting Expression concept, which is a way to bind > a query to a specific version of STIX. Successful implementation of > the Targeting Expression effectively requires implementers to have a > high degree of communication and coordination - something a spec > (IMO) should decrease. There are successful implementations out > there, and the ones I know about have a shared characteristic of > central planning. While this is manageable, I think it is an area > that can be improved for the next iteration of query, whatever form > it takes. > (My apologies in advance, this is going to be a rather long mail.) Mark notes, "There are successful implementations out there". I'd be curious to see them, as to I have yet to bump into an implementation of TAXII Query. Early on, Soltra identified three basic use cases for TAXII Query: 0) Have you seen this thing? 1) Give me everything you've got that's related to this thing. 2) Give me everything you've got that's of type Foo. Our end goal is to make integrating Edge with other systems (ie, network/endpoint blackboxen that don't speak STIX/TAXII) dead simple. After all, what's the point of having a pile of CTI if you can't easily leverage it to solve real world problems!? We spent over a year looking at the TAXII Query spec, scratching our heads, and having long conversations with MITRE. In the end, to be able to address the three simplistic use cases described above would have required us to define a proprietary Soltra Query spec. This seemed like overkill. Faced with the necessity of implementing a proprietary solution, we decided to go REST (since everybody and their sister know how to interact with REST.) We're well on our way to releasing a version of Edge that includes this REST query API. (No secret, it's been discussed at length in public fora.) I appreciate the desire to make TAXII 2.0 content-agnostic. It would be nice if TAXII 2.0 could transport OpenIOC, VERIS, BitTorrent tracker files, and the kitchen sink. *However*, TAXII 2.0 is an OASIS CTI standard and as such owes its *primary* allegiance to supporting the needs of its sister OASIS CTI specs. We at Soltra were loathe to implement a proprietary query solution but felt there was no better option. Our intention has always been to work within OASIS to ensure that TAXII 2.0 Query supported the basic use cases mentioned above and once TAXII 2.0 was released, to deprecate our proprietary REST API in favor of TAXII 2.0 Query. If Query is deemed out-of-scope for TAXII 2.0, I can foresee two possibilities: 0) Some kind of top-level STIX/CybOX Query construct will be promulgated. 1) Vendors will implement proprietary REST query APIs. Both of the possibilities strike me as utterly absurd outcomes. I think going REST for TAXII 2.0 is brilliant! Let's include a query API in the spec. I take Ron's point that not all CTI producers will also necessarily act as repositories *but* a great many of them will. So let's make TAXII 2.0 Query *optional* but at least define what it should look like, if a vendor *chooses* to support it. We'd be happy to share what our REST query API definition looks like as a strawman. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "It is always something." --RFC 1925
Attachment:
signature.asc
Description: PGP signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]