[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Question Gathering: Relationship Preservation in Versioning (Implicit vs Explicit)
Thanks Sarah - this is precisely my thinking so I am glad I am not crazy :)
To copy/paste/revise something I sent in a Slack earlier today...
To me, you have to go back to the use cases. If I am an analyst, and I have built up a bunch of stuff around some intelligence using Maltego or I2 or whatever… when someone pushes an update, do I expect it to cascade through my model I have spent a week building? Or do I expect to have to go and manually update eveything? If it was ME, I would want the cascade. And its the same flow for automated tools as well… I set up a rule in a SIEM around STIX.. do I expect that rule to be dynamically updated with new versions? You betcha... If I have a daily report or dashboard running on a campaign, every day I run that report, I want it to show the latest information. I dont want it to be static, showing the same thing day in and day out. The same is true if I have something referencing a watch list, or something referencing a set of TTP.
When I look at the actual use cases for intel.. I think people will usually want the latest. I am at a bit of a loss why everyone assumes that people will essentially want “stale” info by default.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Sarah Kelley ---03/21/2016 12:24:44 PM---I would argue that even as the producer I don’t want to have to update every relationship every time
From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 03/21/2016 12:24 PM
Subject: Re: [cti] Question Gathering: Relationship Preservation in Versioning (Implicit vs Explicit)
Sent by: <cti@lists.oasis-open.org>
I would disagree that "explicit is infinitely preferable to implicit". It depends *a lot* on the use case of the data and how widely shared the data is.
We have to remember, *anyone* can create relationships from or to a piece of data, not just the original producer. The original producer may not even know those relationships exist or have access to that information... and even if they do, they don't have permissions to update it. In a successful relationship model, people would be creating relationships everywhere, making a "web" of connected threat intelligence. However, If every time I publish an update to an object, all of it's relationships break (relationships which by the way I certainly do not have permission to update as I am not the producer, and which I may not even have access to viewing), this "web" is not going to happen, instead we will just have many disconnected threads. The only reasonable solution for this problem would be to have TAXII servers and other intel-repositories assume the job of updating all relationships transparently in the background whenever a new version comes along. But if we are assuming that - then why are we not just using implicit relationships in the first place?
We're moving a huge burden downstream. I also see no real benefit in this - as I pointed out in slack, because everything has a timestamp, even if we have implicit relationships it is not hard for a repository to support querying the object that existed when the relationship was first created if that is your aim (I still think this will be the far minority of actual real-world use cases)
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Trey Darley ---03/21/2016 08:49:30 AM---On 18.03.2016 23:36:16, Marlon.Taylor@us-cert.gov wrote: >
From: Trey Darley <trey@soltra.com>
To: <Marlon.Taylor@us-cert.gov>
Cc: <cti@lists.oasis-open.org>
Date: 03/21/2016 08:49 AM
Subject: Re: [cti] Question Gathering: Relationship Preservation in Versioning (Implicit vs Explicit)
Sent by: <cti@lists.oasis-open.org>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]