Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion

I agree and I think STIX and TAXII work really well in certain conditions and even in some broad conditions. I do not want people to get confused by statements that are made when we say it has issues or use even harsher terms like it is broken (super passionate technical people often misuse words that can cause fear and paranoia to those not in the mud head deep).

Keep in mind that the things we are often talking about / complaining about are not that the sky is falling or the sun is going to blow up, or zombies have taken over the earth. Often they are about how do we make things easier, faster, and more efficient especially across eco-system boundaries. The question we should be asking is how do we take STIX and TAXII and "apple-ize" it to make it super intuitive and super easy to use by everyone.

We need to remember that complexity is easy to build, simplicity is what is hard.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Jun 25, 2015, at 11:19, Aharon Chernin <achernin@soltra.com> wrote:

> #1 Just a note regarding the vendors perspective, why "STIX/TAXII in their current incarnation do NOT work very well"?

Can STIX be improved upon? Heck yeah. Should it be improved? Of course, when can we start!?!?!?

Does STIX in it's current form not work? I tend to disagree. I speak to people who use STIX everyday. Also, almost every major ISAC is using STIX/TAXII, or planning to use STIX/TAXII, in some fashion to share intelligence. Over 600 TAXII clients pull from http://hailataxii.com everyday, over 1,700 unique TAXII clients each month, with an average of about 180,000 TAXII requests everyday. I fully support us doing as much of a revamp in STIX 2.0 as needed, but let's not play the success of all the work we have put into STIX/TAXII too short. I don't want us to confuse the new people coming into the group who may not understand STIX's history.

Aharon Chernin
CTO

SOLTRA | An FS-ISAC & DTCC Company

18301 Bermuda green Dr

Tampa, fl 33647

813.470.2173 | achernin@soltra.com

www.soltra.com

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Sent: Thursday, June 25, 2015 9:20 AM
To: Jerome Athias; Peter Allor
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion

A quick comment re: "STIX/TAXII in their current incarnation do NOT work very well":

STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases. That does not mean we do not have challenges, but Open Community tools based on these standards are working today!

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
pmaroney@specere.org

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Thursday, June 25, 2015 2:17:45 AM
To: Peter Allor
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion

#1 Just a note regarding the vendors perspective, why "STIX/TAXII in their current incarnation do NOT work very well"?
Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them before to jump in?). Vendor perspective feedback welcome here.

#2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it.

How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster.

Few months ago, I commented about the STIX Course of Action specification.

From a strategic perspective, I think it could be useful, in the future (2.0 ?...), to take some time trying to develop the business element.
Without too much details for now, because the -Cost- element is specified; a little extension (money/time/quality in mind), e.g.:
The 'Time' property characterizes the estimated time for applying a Course of Action to achieve its targeted objective, ...
e.g.: it would take X days/hours for digital forensics of 1 workstation with Chain of Custody

The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by showing the business value.

And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance (mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least to create interest, and demonstrate the need, from the user/vendor perspective.

2015-06-24 20:11 GMT+03:00 Peter Allor <pallor@us.ibm.com>:

Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion). There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here. I know some will say they are part of that community, but then also tout how they are international. So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process. That would be for all FOUR Sub-Committee's. Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well). Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use. Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that. I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged. The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed. If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638
Fax: +1-845-491-4204
pallor@us.ibm.com

<graycol.gif>Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers <joep@intelworks.com>
To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy <mclancy@soltra.com>, Peter F Brown <peter@peterfbrown.com>, "tony@yaanatech.com" <tony@yaanatech.com>, Rich Struse <richard.struse@dhs.gov>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: <cti@lists.oasis-open.org>

Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office: (856)983-0001 >Cell: (609)841-5104 >pmaroney@specere.org >________________________________________ >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >Mark Clancy <mclancy@soltra.com> >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown; tony@yaanatech.com; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as DTCC's CISO in addition to my Soltra role. I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments. Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think "engagement" means vs. "outreach"? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA | An FS-ISAC and DTCC Company >+1.813.470.2400 office | +1.610.659.6671 US mobile | +44 7823 626 535 >UK mobile >mclancy@soltra.com | soltra.com > >One organization's incident becomes everyone's defense. > > > >________________________________________ >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >Peter F Brown <peter@peterfbrown.com> >Sent: Tuesday, June 23, 2015 6:37 PM >To: tony@yaanatech.com; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >-----Original Message----- >From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France. There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity. Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: >http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE>TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work. Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday. It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php> > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

> [attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

cti message