OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

This is our desire and goal.  However, there are some steps along the way, let me illustrate two of them...

1) How to you make the shared CTI machine actionable for any arbitrary STIX 1.2 document today. Hint, think through what you would need to do in code to make this happen.  

2) How do you know for sure that you can trust the CTI you are openly getting?  Or how do you now the CTI is even valid?  Open public sharing is a two edged sword without validation, verification, and assessment.




Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 29, 2015, at 08:13, pankaj.anand@wipro.com wrote:

I agree to the point that this information must be shared as open platform so that maximum defenders can make use of this. As there are no confined boundaries in internet, so there will be adversaries looking into this. This is for more generic attacks and should be consumed without boundaries. In today's world I think generic attacks are random and adversaries are also not investing too much time and effort to change tactics. So as long as we can change faster than adversaries TTP, we shall continue to be on advantage and discourage adversaries to add efforts and cost for an attack. Even if this gets into commercial boundaries, adversaries can still have access, so keeping it open source or not, doesn't matter.

Other concept is time lag between information exchange. As in industry not much organizations have matured threat intel platform and have substantial lag time for sharing and even for utilization. Unless it's near real time the usage may not be as effective (considering Verizon DBIR - most of this information is short lived and almost more than 90% changes within a day). So how fast information gets exchanged and implemented also matters. Is attach speed faster or threat sharing faster? I assume that's also one of the reason that the overlap of information between various inbound threat channels is very less (3%).

By using STIX/TAXI we are getting into basic building blocks where majority of industry has yet to adapt.

Thanks,

Pankaj Anand



Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]