Re: [cti-stix] Re: [cti-users] MTI Binding

[Jerome Athias <athiasjerome@gmail.com>]

Very interesting thread, while, again, IMHO, we are mixing topics in
the same thread.
But this should be needed.
From the CTI TC stack described by Sean, I feel that:
- Ontology/data-model is of/for a Vision/Strategy level. With specific
Goals/Objectives. (Why we want data, to do what)
- Representation format implementation (JSON vs XML) is more of
Operational level. With ongoing discussions having differently focused
Goals/Objectives (How we need the data)
- Binding would be more Tactical (What data we need to do what we want)

For the Strategy to work, some would have to explain it (defining and
explaining the Goals), to the Operational level. That would set
requirements and help to make decisions at the operational level.

“Information is a source of learning. But unless it is organized,
processed, and available to the right people in a format for decision
making, it is a burden, not a benefit.” William Pollard

At the same time, listening at what Operational level has to say, will
help to maintain achievable and realistic goals. (depending and time
and capabilities).
From my development experience, yes JSON is easy and simple. Meantime,
you should keep in mind that if you have goals, you will have to pay
the price to achieve them. So, for sure, we need data (we need a lot,
quickly, and of quality). Don't get trapped by the 'lazy programmers'
(I am one and worked with a lot of them) if you're losing too much and
won't reach your goals.
I do understand that using XML needs efforts, and is not convenient
from operational point of view.
But I do think that it offers what is needed to reach valuable objectives.
Like the strategy has to demonstrate the value of the efforts,
right now, I think some people just don't know if JSON offers the
needed requirements, to reach the same goals.
(change is always difficult, but good arguments can help, and maybe,
ROI can be demonstrated. Efforts are still needed to demonstrate value
of the change)


With that said, regarding Predictive Models, PMML was quickly
discussed in our community before, and it is considered in my XORCISM
research.
While I went through a relational approach (database), with pros and
cons, I see benefits into a PMML approach as a long term strategy.



2015-10-03 4:45 GMT+04:00 Jane Ginn <jane.ginn@gmail.com>:
> Hi All:
>
> While reading through this thread it occurred to me that the JSON-LD
> suggestion represents a significant shift in the level at which we are
> approaching the problem set. Cory has long been arguing for us to shift our
> focus to a semantic model that can serve as a language agnostic approach to
> solving the CTI sharing problem. Bret has been pushing for JSON as a tool to
> help us achieve more wide spread adoption. We currently have bindings in XML
> and Python... but no MTI for moving forward with STIX 2.0.
>
> JSON-LD appears to address several of our issues at a higher level of
> abstraction.
>
> I'm also intrigued by the potential, from the POV of STIX cosumers, at how
> PMML can be deployed seamlessly to use wire speed data on attacks for
> predictive modelling... or at least deploying the myriad of tools for
> predictive modelling. I expect this is an area of white space in the market
> that will be picked up by a vendor and developed as an enterprise solution.
> We just need to get the front end right for the integration.
>
> Jane Ginn
> Cyber Threat Intelligence Network