OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] CTI TC Adoption and Interoperability SCs


Thanks, that helps.

One thing that might be worth calling out is what each statement means for pure consumers, pure producers, and hybrid products. For example in considering data markings a pure consumer would presumably need to support ALL of the data markings allowed in the profile while a producer only needs to be able to produce some of them. OTOH pure consumers don't need to worry about re-sharing content w/ the original info source since they never share while hybrid products do.

From: "Jordan, Bret"
Date: Monday, July 13, 2015 at 2:55 PM
To: "Wunder, John A."
Cc: "cti@lists.oasis-open.org"
Subject: Re: [cti] CTI TC Adoption and Interoperability SCs

Is there a way with "your" product to trace the STIX object back to the original source/publisher?  

Meaning, if someone send you a STIX package with an Information Source object included in it (and there is no data marking object that prevents the information source from being shared), do you keep it around and use it if you republish that STIX package.  Yes, it seems obvious in open sharing that people would do this, but my guess is that if we do not call it out, some will just drop it on the floor and do their own thing.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Jul 13, 2015, at 12:40, Wunder, John A. <jwunder@mitre.org> wrote:

What do you mean by "information source integrity"?

From: <cti@lists.oasis-open.org> on behalf of "Jordan, Bret"
Date: Monday, July 13, 2015 at 2:37 PM
To: Jason Keirstead
Cc: "cti@lists.oasis-open.org"
Subject: Re: [cti] CTI TC Adoption and Interoperability SCs

Okay, now I think we are getting out of the weeds and moving forward, so what about this, with the changes from Jason and Eric.

For STIX:

Does your product support:
S1) Data marking / handing
S2) Information source integrity
S3) The required fields from the following STIX Idioms
a) Indicators
b) Incidents
c) Threat Actors
d) Campaigns
e) TTPs
f) Course of Actions
g) Exploit Targets
h) Observables
S4) The required fields from the following CybOX objects
i) TBD
S5) Do you support STIX Profile processing for the following profiles
a) TBD
b) TBD

Optional Extras You Might Support (this is meant to give extra color / context to differentiate products)
SA) Do you have a UI for STIX generation



For TAXII:

Does your product support:
T1) Discovery Services
T2) Collection Services
T3) Subscription Services
T4) Poll Services
T5) Inbox Services
T6) Data Feeds
T7) Data Collections
T8) Delete Requests

Optional Extras You Might Support
TA) Authentication 
TB) Two-factor Authentication


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Jul 13, 2015, at 12:27, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

RE STIX 3.h, I would also like to see included in the profile a list of the CybOX objects supported.

RE TAXII 8,9 I am not sure how authentication types can be included in the profile when they are not part of the TAXII protocol.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]