OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Documents


That is what we discussed at the F2F when we introduced the idea of CTI Common.
We specifically discussed whether it made sense to create it as a separate work product immediately or to simply evolve it for now as part of the STIX and CybOX work and then break it out as an official work product once STIX 2.0 and CybOX 3.0 looked stable. I believe there was unanimous agreement to do the latter.

sean

From: Mark Davidson <mdavidson@soltra.com>
Date: Monday, March 7, 2016 at 2:19 PM
To: "Barnum, Sean D." <sbarnum@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Documents

Sean, you said:

> CTI Common 1.0 is an initial version of a standard

Sorry if I missed it, but when did we all decide that we were adding this work product? I don’t recall discussion or vote around this, but then again I may have missed it.

Thank you.
-Mark

From: <cti@lists.oasis-open.org> on behalf of "Barnum, Sean D." <sbarnum@mitre.org>
Date: Monday, March 7, 2016 at 2:02 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Documents

>1) Does it really make sense, other than for historical reasons, to keep these documents separate?  

YES!

>2) If they were merged, then could not things like MAEC and other standards (that are NOT part of OASIS) just reference the sections that were of interest to them?

No. That approach is not a good way for non-OASIS standards to leverage them apart from the numerous reasons not to combine them in the first place.


I would strongly disagree with any moves to merge these three documents.
Each document represents a different context and a different corresponding standards effort.

CybOX 3.0 is the 3.0 version of the CybOX standard focused on representing the facts of cyber observables independent of any particular implementation context. Having this be a separate standard not tied to any one particular usage context allows it to be effectively leveraged across multiple different usage contexts (STIX, MAEC, DFAX, and others).
STIX 2.0 is the 2.0 version of the STIX standard focused on representing diverse facets of cyber threat information and how they all interrelate. This includes acting somewhat as an umbrella relating different forms of content whose detailed form is best represented in independent domain-focused standardized representations (CybOX, MAEC, CVRF, CVE, CAPEC, CWE, DFAX (eventually), etc). Tightly coupling any of these domain-focused representations to STIX would reduce the ability of those domain communities to effectively manage their own standardized representations and would reduce their effective flexibility.
CTI Common 1.0 is an initial version of a standard focused on representing various information structures common to cyber security information representations. It is important that this remain independent such that different domain-focused representations can leverage these common structures without needing to pull in domain-specific structures from any other domain-focused representation and so that the “common” structures do not get too heavily biased towards any single domain. CTI Common is currently being leveraged by CybOX and STIX, will very likely be leveraged by MAEC and DFAX in the future, and has the potential for use within other cyber security representations as well to improve integrative consistency.

These are not simply different documents for parts of one single thing. They are three different documents for three different things.

I believe that merging these three efforts together would fundamentally damage the effectiveness and practicality of the ecosystem we are working to enable.

sean




From: <cti@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Monday, March 7, 2016 at 12:14 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Documents

Right now, we have three documents for STIX & CybOX, aka CTI.  We have:

CTI Common 1.0
STIX 2.0
CybOX 3.0

I would like to challenge this design.  It seems like we are opening ourselves to document versioning and compliance / interoperability nightmares. 

1) Does it really make sense, other than for historical reasons, to keep these documents separate?  

2) If they were merged, then could not things like MAEC and other standards (that are NOT part of OASIS) just reference the sections that were of interest to them?



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]