[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] Questioning the wisdom of using DNS SRV records for TAXII 2.0 Discovery
On 30.10.2015 21:59:46, Patrick Maroney wrote: > > In my experience of directly observing APT and increasingly > dangerous asymmetric warfare cyber-adversaries: Anyone who stands up > a public facing TAXII Gateway which globally exposes any level of > sensitive intelligence longer than what is minimally required to > securely transit any such externally facing/exposed gateway, > deserves the same societal condemnation as those who are similarly > exposing critical infrastructure Industrial Control Systems, Power > Grid, Chemical Plants, Refineries, Water Treatment, Communications > Infrastructure, PII Data, etc. Have we learned nothing? > Hear, hear, Pat! Couldn't agree more! :-) > > There is nothing wrong (in my view) with providing the means to find > resources globally, provided said resources have the hardened > security infrastructure commensurate with the level of sensitivity > of the information and services they provide. Also, to the points > made by others, for the reasons alluded to above, there will be > environments where there are physical air-gaps between participants. > The CTI standards need to be agnostic in this regard and not presume > TAXII Gateways will serve universally as transport for STIX > Packages. > I've worked in air-gapped environments, have experience architecting and implementing cross-domain solutions, and am well aware of the challenges posed by the higher confidentiality requirements some face. Every classified environment is governed by different data-handling policies. For sure, somewhere in the world are some poor folks reduced to exchanging STIX files burned on CD-ROMs inside of a SCIF. We need to bear those folks in mind but since there's so much policy variance between classified environments, we can't completely solve these sorts of challenges at the OASIS standards body level. There are ongoing discussions around how to make CTI work across, for example, one-way data diodes. These types of environments represent *extremely important* edge cases but I would argue that for OASIS purposes they are *nevertheless* edge cases. If the W3C had got stuck trying to figure out how to make the web work in air-gapped environments, there would be no web today. Metcalf's Law [0] is a thing. The web gained traction in the open internet, the secret squirrel folks saw the value, and vendors created appropriate point solutions to adapt the web to air-gapped environments. Apologies to Tony for over-simplifying history, but I think the metaphor is nonetheless valid. (One upside to your typical classified environment is that there are point solutions to address a lot of the cross-domain architectural challenges *and* there's typically an above-average budget for infosec.) [0]: Value of a network is proportional to the square of the number of participants in said network. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "Every networking problem always takes longer to solve than it seems like it should." --RFC 1925
Attachment:
signature.asc
Description: PGP signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]