[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] Creating a more complex data-marking construct to support the needs of the secret squirrel community
I was just pondering this over the weekend. At the most basic level, Marking data is meant to filter out data I don't want to share. Part of me wonders why it's even a part of the STIX standard at all, since it could be entirely defined within my own organization, and just stripped out before sending to another org. The trouble comes when my org says to another org, "You can see this, but don't share it." Then, I have to mark data in ways that can't be stripped at the boundary. So, my org and another have to have a common "standard" for sharing this info. Nevertheless, I wonder why STIX has to define this. Why can't STIX just leave a hole that orgs can fill with whatever they agree upon, as far as marking? Frankly, a string-based "vocabulary" should suffice, if two orgs are communicating properly. Overloading this with XML seems like a heavy-weight solution; I'm not sure the STIX standard needs more weight...? JSA ________________________________________ From: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Trey Darley <trey@soltra.com> Sent: Monday, November 2, 2015 5:42 AM To: Jordan, Bret Cc: Patrick Maroney; Terry MacDonald; cti-taxii@lists.oasis-open.org; cti@lists.oasis-open.org Subject: [cti-taxii] Creating a more complex data-marking construct to support the needs of the secret squirrel community On 01.11.2015 02:26:23, Jordan, Bret wrote: > Do we really think it is realistic to build a data making > implementation that is actually going to work for the vastly > different solutions that the more advanced people need and still > have it be implementable in generic code? I can see some structured > and well defined parts working well. But completely free formed, do > anything, data making that "secret groups" use today is like trying > to boil the ocean in code. > [Note: changing thread subject and copying the top-level cti@oasis-open.org list, since this discussion cuts across domains] Can we build a data-marking construct able to address *all* of the needs of the secret squirrel community? No, probably not. Can we make something close enough to support the data-marking needs of *most* of the secret squirrel community? Maybe, it's worth a try. I've seen a lot of secret squirrel data-marking schemes. They generally look like: SECRET SQUIRREL CLUB COSMIC TOP ACORN RELEASEABLE TO GREY SQUIRRELS, RED SQUIRRELS The 'SECRET SQUIRREL CLUB' bit is a mandatory field identifying the community associated with the data-marking scheme. The 'COSMIC TOP ACORN' bit is a mandatory field identifying the data confidentiality level. (This would be a controlled vocabulary enumerating the levels of confidentiality defined within the data-marking scheme.) The RELEASEABLE bit is an optional field identifying the sub-communities within the community with who sharing is authorized. (This would be a controlled vocabulary enumerating the sub-communities defined within the data-marking scheme.) What we *can't* do is codify the controlled vocabularies. These are going to vary widely across the secret squirrel community. But we *can* define an template construct into which each secret squirrel community can interpolate their specific controlled vocabularies. End result: a STIX data-marking scheme that should address the needs of *most* of these communities. Things *do* get more complicated. For example, there might be localization issues between the German-speaking GREY SQUIRREL community and the Spanish-speaking RED SQUIRREL community. But I think we can build in an (optional) localization mapping element to address the possibility that various factions of the SECRET SQUIRREL CLUB might use different phraseology to indicate 'COSMIC TOP ACORN'. Note that this is a strawman. Those within the OASIS CTI community better versed in such matters, feel free to elaborate. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works." --RFC 1925
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]