|I agree and I think STIX and TAXII work really well in certain conditions and even in some broad conditions. I do not want people to get confused by statements that are made when we say it has issues or use even harsher terms like it is broken (super passionate technical people often misuse words that can cause fear and paranoia to those not in the mud head deep). |
Keep in mind that the things we are often talking about / complaining about are not that the sky is falling or the sun is going to blow up, or zombies have taken over the earth. Often they are about how do we make things easier, faster, and more efficient especially across eco-system boundaries. The question we should be asking is how do we take STIX and TAXII and "apple-ize" it to make it super intuitive and super easy to use by everyone.
We need to remember that complexity is easy to build, simplicity is what is hard.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
> #1 Just a note regarding the vendors perspective, why "STIX/TAXII in their current incarnation do NOT work very well"?
Can STIX be improved upon? Heck yeah. Should it be improved? Of course, when can we start!?!?!?
Does STIX in it's current form not work? I tend to disagree. I speak to people who use STIX everyday. Also, almost every major ISAC is using STIX/TAXII, or planning to use STIX/TAXII, in some fashion to share intelligence. Over 600 TAXII clients pull from http://hailataxii.com
everyday, over 1,700 unique TAXII clients each month, with an average of about 180,000 TAXII requests everyday. I fully support us doing as much of a revamp in STIX 2.0 as needed, but let's not play the success of all the work we have put into STIX/TAXII too short. I don't want us to confuse the new people coming into the group who may not understand STIX's history.
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
A quick comment re: "STIX/TAXII in their current incarnation do NOT work very well":
STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases. That does not mean we do not have challenges, but Open Community tools based on these standards are working today!
#1 Just a note regarding the vendors perspective, why "STIX/TAXII in their current incarnation do NOT work very well"?
Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them before to jump in?). Vendor perspective feedback welcome here.
#2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it.
How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster.
Few months ago, I commented about the STIX Course of Action specification.
From a strategic perspective, I think it could be useful, in the future (2.0 ?...), to take some time trying to develop the business element.
Without too much details for now, because the -Cost- element is specified; a little extension (money/time/quality in mind), e.g.:
The 'Time' property characterizes the estimated time for applying a Course of Action to achieve its targeted objective, ...
e.g.: it would take X days/hours for digital forensics of 1 workstation with Chain of Custody
The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by showing the business value.
And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance (mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least to create interest, and demonstrate the need, from the user/vendor perspective.