[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-users] Re: [cti-stix] Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
I see this as a problem that tools/platforms solve. Since we are not expecting any humans to look at the JSON stream out of TAXII, what we’ll have are tools that allow the user to configure what they see (at least I hope we do!). My overriding concern here is that we discourage people from using Q&A as a substitute for sightings – we need to be super clear about that. From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Terry MacDonald Hi Jason, I can see your point, but I also believe that most people in a threat intel sharing community will want to receive as much threat intel as they can. The more information they are able to view then the more information they are able to use in their decision making processes. Yes there may be some users that may not want to see all the STIX answers and questions, but I also firmly believe that this number is far, far less than the number of people that will find the STIX questions and answers useful. I also believe that the scales of STIX question and answers will be far, far lower than the number of normal STIX assertions being made, with a ratio something like 1:100 or 1:1000. Right now people are members of trusted threat intel sharing groups that use mailing lists to share their threat intel. Questions and answers are being shared right now on those lists and 99% of those users don't complain with the questions being asked. In my opinion the 80/20 rule applies here. I personally think that the value to the 99% of users who want to work together as a community to pool their information and find more miscreants greatly outweighs the few people who would rather not know that information as it's too many messages. In the (unlikely) event that it does turn out to be a problem then we can always adjust the object in the future. Cheers Terry MacDonald Cosive On 11 Jan. 2017 2:52 am, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote: I may not care to see all of these questions and responses though.
From: Terry MacDonald <terry.macdonald@gmail.com>
I’m intrigued as it seems we’re back to looking at how to provide query capabilities in STIX/TAXII instead of just “what someone has shared”. This is something a lot of our customers are demanding and having to fill with our own solutions. Paul Patrick From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com> Hi All, In my discussion with colleagues, community groups and customers, one of the question's I keep getting asked about STIX is "Can I ask the community I'm in if anyone has information about a particular IP address?". At present my answer is …."Well, actually no. Not at present. You can only see what others have sent out." This proposal outlines a way that we could implement this functionality, allowing STIX/TAXII to support requests for information, and responses to those requests. Note: This initial proposal is for community-wide requests and community-wide responses. Future enhancements in later versions of STIX could allow for responses back to a single user if there was enough demand for this functionality. Cheers Terry MacDonald | Chief Product Officer |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]