On 30.10.2015 21:59:46, Patrick Maroney wrote:
In my experience of directly observing APT and increasingly
dangerous asymmetric warfare cyber-adversaries: Anyone who stands up
a public facing TAXII Gateway which globally exposes any level of
sensitive intelligence longer than what is minimally required to
securely transit any such externally facing/exposed gateway,
deserves the same societal condemnation as those who are similarly
exposing critical infrastructure Industrial Control Systems, Power
Grid, Chemical Plants, Refineries, Water Treatment, Communications
Infrastructure, PII Data, etc. Have we learned nothing?
Hear, hear, Pat! Couldn't agree more! :-)
There is nothing wrong (in my view) with providing the means to find
resources globally, provided said resources have the hardened
security infrastructure commensurate with the level of sensitivity
of the information and services they provide. Also, to the points
made by others, for the reasons alluded to above, there will be
environments where there are physical air-gaps between participants.
The CTI standards need to be agnostic in this regard and not presume
TAXII Gateways will serve universally as transport for STIX
Packages.
I've worked in air-gapped environments, have experience architecting
and implementing cross-domain solutions, and am well aware of the
challenges posed by the higher confidentiality requirements some face.
Every classified environment is governed by different data-handling
policies. For sure, somewhere in the world are some poor folks reduced
to exchanging STIX files burned on CD-ROMs inside of a SCIF. We need
to bear those folks in mind but since there's so much policy variance
between classified environments, we can't completely solve these sorts
of challenges at the OASIS standards body level.
There are ongoing discussions around how to make CTI work across, for
example, one-way data diodes. These types of environments represent
*extremely important* edge cases but I would argue that for OASIS
purposes they are *nevertheless* edge cases.
If the W3C had got stuck trying to figure out how to make the web work
in air-gapped environments, there would be no web today. Metcalf's Law
[0] is a thing. The web gained traction in the open internet, the
secret squirrel folks saw the value, and vendors created appropriate
point solutions to adapt the web to air-gapped environments. Apologies
to Tony for over-simplifying history, but I think the metaphor is
nonetheless valid.
(One upside to your typical classified environment is that there are
point solutions to address a lot of the cross-domain architectural
challenges *and* there's typically an above-average budget for
infosec.)
[0]: Value of a network is proportional to the square of the number of
participants in said network.
--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com--
"Every networking problem always takes longer to solve than it seems
like it should." --RFC 1925