OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions


In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.



Aharon

From: <cti-users@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to ha"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions





Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent:
Thursday, October 22, 2015 11:18 AM
To:
cti-users@lists.oasis-open.org
Subject:
[cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult


@see
http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question
- Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question
- My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]