|Understanding what Idioms are supported or what elements of an Idiom are support is valuable, yes. But think of certification in regards to bigger level items. |
1) Does the systems support data making / handling? And if so, can you appropriately handle something that is like a TLP RED.
2) Does the system actually support delete requests
3) Does the system support full fidelity on a STIX package's producer chain? Or does it strip all of that away. Further if we add an ability to sign a STIX package, does the system support that and the ability to re-issue the package with the cert or include it some how.
4) On the TAXII side, does the system support Data Feeds or just Data Sets..
5) Does the TAXII system support inbox services or just poll services?
6) What is the sustained rate that a system supports in tiers.
What I would like to see is a simple and easy to understand tier system with certification. We have talked about this a lot over the past year and I think a lot of really good ideas have been brought up... Imagine that the first few levels are self asserting. Then the final few levels, will have an official certification process similar to the WiFi alliance. Initially, for the first few years say 3-5 years, we would only do self assessment. Then in say the 5 year time frame we would do an official certification process.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
The adoption chart is part of the need and the OVAL example is a good one.
Another side of this is the STIX profile (https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf
). This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX. So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key), STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce. Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t do so at present. It is kind of hard to describe the difference between those two levels of implementation. I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.
I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation. Today you could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means. If consumers experience “STIX support” at this level of maturity/completeness and they expected much more it is going to reflect poorly on our standards. So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other is a much higher level.
I suggest we add this to the outreach workstream as a way of keeping track of what "adoption" really means.
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile | +44 7823 626 535 UK mobile
One organization's incident becomes everyone's defense.