First and foremost, STIX is a great step in the right direction. We have a lot of early adopter success and from that, we have learned a lot about what works and what does not. Many of us that have been around for 18-24 months or more, can attest to the fact that we believe in STIX and believe it is the way forward.. However, we have also learned a lot since we started.
I base my comments and views on the calls and emails I get from loads of vendors and threat intelligence providers that have tried STIX and are asking me if there is another way (now some vendors have found ways to make it work for them and I applaud them all). Their complaints are nearly unanimous in that:
1) STIX is complicated and hard to use
2) STIX is way to slow for what they need.
Lots of members on this list have heard the same thing from the groups they consult with and MITRE folks heard that a lot at the FIRST conference in Berlin. So STIX is NOT broken, we just have some stumbling blocks we need to address to enable deeper market penetration.
I believe in STIX and TAXII. This is why I am allocating so much of my personal time to this effort. This is also why I am willing to Co-Chair, I believe in it and want to see it succeed..
Major items we need to address:
1) Easy of use and easy of understanding this does not mean simplifying what we can document 2) Single way of doing things 3) Speed and performance in serialization, transmission, analysis, etc. 4) Data Marking / Data Handling 5) Information source integrity
We need to think about every handheld running a client that can talk STIX and TAXII and collection points getting 100 Million to a Billion indicators a day. We also need to think about systems that will have massive amounts of back and forth chatter as indicators get enriched and more context gets added.
I would love to have each subcommittee have a plan of record in place for their next major release by the end of September and have an early draft of major ideas and how they are going to achieve them by end of year. My hope is that by early summer 2016 we can have drafts ready for submission to OASIS on the next generation of CTI.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
So it seems the question is as follows: - Is STIX so broken that we won't achieve more than a minor (20%) adoption rate without a major change? The hypothesis also being made is that the major area where it is 'broken' is in the physical data representation (currently XML).
If both of these statements are correct, we should make this priority #1, as any other effort is mostly futile.
I personally do not have enough information to prove or disprove these statements. I might ask, have we surveyed the community to see if this is correct? Often times this group gets into heavy debate where we are making assumptions about the community... can't we just ask them? Not 1 or 2 people... but all of them! (ok, most will suffice)
We need to take in to account the law of the diffusion of innovation and realize that now is the best time to make a major change that will have long term value and benefit. The overall impact right now will be minimal due to the fact that while we have several early adopters, the overall market penetration is still very low.
For us to claim success we need to get north of 18-20% market penetration and I believe we can do it, but to do so we need to identify the stumbling blocks that are preventing deeper market penetration and then have the courage to address and fix them.
Remember my now go to statement, Complexity is easy to build, simplicity is not.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Trey,
Note - This is in regards to the work done on the next 'major' version releases of STIX/TAXII/CybOX, and does not apply to the 'phase 1' projects currently underway.
As with everything, there are negatives and benefits of any approaches we choose. It is imperative that vendor impact is taken into account, just as it is imperative that we review what the end customers of these systems need, so that the standards can provide the value that the customers are seeking. We must do everything to continue the value that STIX/TAXII/CybOX are offering right now. We must ensure that the multitude of users, each with their own valid use cases, are encouraged to provide their inputs into the development process so that the result accurately reflects the needs of the entire community.
But... we also need to take a long hard look at the bits of STIX/TAXII/CybOX that don't work well and improve them. We cannot stand back and leave things the same when we can see parts that don't work as well as they should. Changes should only be made if there is sufficient justification for doing them. And it is up to the Sub-Committee, Technical committees and ultimately the OASIS body as a whole to determine if that justification is valid.
I personally feel that major versions (and the ability to have breaking changes) come along so infrequently that we need to look at all parts of the CTI standards to see where we can do things better. We need to look at everything from better transport mechanisms through to additional fields and even potentially addition STIX objects to be able to describe security situations more accurately. We need to optimise and to investigate use cases and review implementers feedback and to devise enhancements that provide extra value that we haven't even thought of up until now.
Yes, there will be impact on implementers. This was always going to be the case with a standard so new. But if we as a community can make sure that the impact can be minimised, is justified and the benefits outweigh the negatives, then everyone wins.
|