Re: [cti] [renamed] what should we do next

["Kirillov, Ivan A." <ikirillov@mitre.org>]

+1 to John’s idea of creating a “brain dump” of high-level ideas regarding future design goals and directions that we should take. I think should a list would serve as a great starting point for getting a feel for what the community wants to do; once we have it, we can then begin to vote, prioritize, and elaborate on particular ideas.  Also, I think we should split this up between the three efforts, since while there will be some overlapping concepts, there will also be those that are unique to each. 

However, doing this via email is _SUPER_ painful. I would encourage us to use our CTI wiki (or another method) as a means of cataloguing this; all of us should have the ability to edit the pages, and we can see revision history to see who added what. I’ve taken a stab at creating such a page for CybOX, based on some of the ideas that have already been circulated, as well as some discussions that Trey and I have had: https://wiki.oasis-open.org/cti/CybOX%203.0%20Ideas

Also, +1 to Trey’s idea of doing a study on serialization formats.

Regards,

Ivan

From: <cti@lists.oasis-open.org> on behalf of Bret Jordan
Date: Tuesday, July 28, 2015 at 12:38 PM
To: "cti@lists.oasis-open.org"
Subject: Re: [cti] [renamed] what should we do next

And to further clarify my view, and some of you have heard this from me privately. 

If it was up to me, my goals for this TC would be to make STIX and its children so easy and simple to use that everyone would just want to use it.  I want us to become the DLNA for security tools.  I want every vendor to WANT to integrate with STIX and have a library pool and tooling to make it just brain dead simple to use.  Basically be able to take someone that knows nothing about CTI sharing and get them up to speed on STIX and its children in under 20 minutes.  

I want the data models to be very intuitive and logical, and have one way of doing things.  Then I want to create a series of short 2 minute web cast videos that walk people through using STIX and its children for the major use cases.  

Basically I want to see us get across the chasm and go mainstream.  See "law of diffusion of innovation"

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

From: <cti@lists.oasis-open.org> on behalf of "Jordan, Bret"
Date: Tuesday, July 28, 2015 at 11:18 AM
To: "cti@lists.oasis-open.org"
Subject: [cti] [renamed] what should we do next

Moving this discussion to the global TC and out of each SC.

John I agree with you, we need to list out some top level design goals for this "thing" we are building, however, i also think this is something that we can solve in less than 7-10 days.  We know what people have been asking for, we have heard them talking about it for 18-24 months.  The problem in the past was, discussions would fizzle out because we the community felt like if MITRE did not like the idea, it was just blackholed.

So the way forward is lets have everyone spell out their requirements for the future of the beautiful CTI Tomorrowland, lets do a simple up-down vote, and then start working on getting these things done.... This does not need to be complicated or drawn out.  

My list in order of importance:

1) We should do major releases of STIX, CybOX, and TAXII and build on what we now understand about peoples needs.

2) Everything should have one way of doing things and should be simple, easy to understand, and fast

3) Serialization

4) Simplify structures and flatten nested structures when possible

5) Top level relationships

6) Top level sightings   

I would also like to ask that on the Wiki, we start spelling out detailed use cases that are going to drive the use of CTI.  

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."