Re: [cti] Documents

["Barnum, Sean D." <sbarnum@mitre.org>]

Mark, there are numerous groups who are interested in CybOX independent of STIX. This includes obvious things like MAEC and DFAX that would leverage CTI Common and CybOX but not STIX. It also includes communities focused on things like common sensor languages, supply chain risk management and anti counterfeiting, etc. It also includes numerous vendors who output detailed observations but do not adorn with or ingest the sort of context which STIX provides.

I agree with the value of the CybOX SC working to identify such players and get a feel for their requirements and usage. I do not believe that the fact we do not have this all written out today makes the above paragraph or its implications any less true.

sean

From: <cti@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@soltra.com>
Date: Monday, March 7, 2016 at 1:58 PM
To: "ppatrick@isightpartners.com" <ppatrick@isightpartners.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Documents

Can we identify those external groups and their intended usage and/or requirements of e.g., CybOX so that we can more accurately decide how we want to support them?

I very much agree with the principle of making our work easier for others to re-use. Getting more clarity on their intended use will help us understand the decisions we are making. I will note that I view our primary goal as achieving the things set out in the charter, but I’d like to do as much as possible to support these external groups as well, to the extent that we understand their needs.

Thank you.

-Mark

From: <cti@lists.oasis-open.org> on behalf of Paul Patrick <ppatrick@isightpartners.com>
Date: Monday, March 7, 2016 at 1:47 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Documents

I can understand the concern, but I actually see value in keeping them separate.  My understanding is that there is a growing number of other communities that are not using all 3 standards and forcing them to deal with STIX when they only care about CybOX creates yet another obstacle for them to based their work on these component.

The reality is that folks like the COA WG and others may likely need to extend one or more of these and won’t be able to wait till the CTI TC to get around to doing something.

Lets not make the barrier to work with all the great work we’ve been doing higher so people are less likely to go do something different.

Just my thoughts

Paul Patrick

Chief Architect

iSIGHT Partners

From: <cti@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Monday, March 7, 2016 at 12:14 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Documents

Right now, we have three documents for STIX & CybOX, aka CTI.  We have:

CTI Common 1.0

STIX 2.0

CybOX 3.0

I would like to challenge this design.  It seems like we are opening ourselves to document versioning and compliance / interoperability nightmares. 

1) Does it really make sense, other than for historical reasons, to keep these documents separate?  

2) If they were merged, then could not things like MAEC and other standards (that are NOT part of OASIS) just reference the sections that were of interest to them?

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."