OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Well this seems like something I have been predicting for about the past 18 months...  We should take this as a wake up call and make STIX better, easier, and faster, the alternative is people moving to YACS (yet another CTI standard).  The longer we take to gain mass adoption, the more likely it is for people to come up with something else.  I have even heard people talk about creating their own STIX Lite. 

Personally I think STIX and TAXII could be the best solution in the market.  But we need to move fast, we need to make things easier to do, and we need to switch to JSON.  I would love to see an easier and faster version of STIX by end of year 2015.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 21, 2015, at 06:19, Wunder, John A. <jwunder@mitre.org> wrote:

Interestingly, they posted that same cartoon on their blog! https://www.opentpx.org/blog/introducing-open-threat-partner-exchange.html

BTW, from that blog post:

Why something new?
"We looked at XML and realized that it introduces, conservatively, double the amount of data we needed to process and transfer. When you're dealing with terabytes of raw data, doubling the size to conform to a format doesn't make a lot of sense. If we can convey the same information at half the size, it's an easy decision. JSON accomplishes the same goal with less overhead. XML formats like STIX also didn't have support for data types we needed. We already have experience trying to extend formats that didn't meet our current needs or weren't flexible enough for future needs. We looked at binary solutions like protobufs and realized that most producers of data were not going to spend time converting their processes into a format that was complicated for humans to quickly evaluate. A lot of data feeds are plain text, often compressed and the work involved in moving from a lists of IPs or domains to a JSON format is minimal, so the work for the data producer was not demanding. And to be honest, we're commonly the ones doing the conversion, so a common language was our goal.”


On Oct 21, 2015, at 7:01 AM, Trey Darley <trey@soltra.com> wrote:

On 21.10.2015 10:17:03, Grobauer, Bernd wrote:

I found this news item (from yesterday) about a new Open Source
effort on TI standardization and thought it might be of interest to
the group:

Good eye, Bernd, thanks for sharing!

My initial reaction was this [0]. But having reviewed the OpenTPX
introduction [1], I see some things that I quite like and from which
we might draw inspiration for the pending CTI standards major
revisions, namely: 

 * nifty query language
 * lightweight extensibility mechanism a la OpenIOC 1.1's Parameters
 * how they score observables and allow for aging the scores over
   time (cf. score_24hr_decay_i, page 16 in [1])

[0]: http://imgs.xkcd.com/comics/standards.png
[1]: https://www.opentpx.org/docs/openTPX-introduction.pdf

Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
"One size never fits all." --RFC 1925

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]