OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise [Paper]

A recent paper analyzing STIX and TAXII came across my desk (and that of my MITRE colleagues) over the weekend: Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise, by Jason Mack [1], available at the SANS Reading Room site [2].


This document investigates STIX and TAXII quite a bit. I have a few key excerpts I’d like to highlight, since I believe they represent important challenges this group is capable of addressing:


·         “even though there are two well-known TAXII clients available for use, there is still no native support by the more popular network security tools themselves – such as Snort” (Page 26)

·         “Primary limitations currently exist in two areas. The first lies in the capabilities and inherent weaknesses of the network security devices themselves, while the second is the lack of widespread STIX and TAXII adoption.” (Page 26)

·         “ … STIX and TAXII as a standard has only been introduced over the last few years so adoption has only just begun. This is quite evident when one looks at the relatively minimal number of TAXII clients available …” (Page 27)

·          “… this technology is only as good as the ability of the network security devices that support it.” (Page 28)


With those challenges laid out, I’d like to offer up some ideas for addressing them:

1.       Identify how we think threat information can move from a TAXII Server to a sensor. Thus far, the “last mile” has been somewhat of an exercise left to the reader, but it’s (to me) clearly something that TAXII users see as a missing piece of the puzzle. As one possibility, the TAXII SC has been investigating whether future revisions of TAXII could include exchanging information with sensors as in scope. Another alternative would be to identify a complementary technology, if one exists.

2.       Keep lowering the cost of adoption. This is a call that we’ve heard in the past (on the old MITRE lists and elsewhere). We’ve done a good job in some ways, and I think we can do better in other ways. If we take the perspective that we can increase future adoption by reducing the cost, then we must do our best to keep lowering the cost of adoption any way we can.


Of course those are just my thoughts and opinions – I’m interested in hearing what other people have to think, and whether the idea’s I’ve offered hold water.


Thank you.

-Mark Davidson


[1] https://www.sans.org/reading-room/whitepapers/detection/network-based-security-systems-search-stix-taxii-based-indicators-compromise-36147

[2] https://www.sans.org/reading-room/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]