OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Gap Analysis


I should highlight that adding tokenization in 2.1 or 2.2 is perfectly acceptable, and actually preferred.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org




On Mon, Apr 4, 2016 at 10:21 AM -0700, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

Thanks for providing feedback Mark on the initial draft of the Tokenization. Please keep the feedback coming (to the community where appropriate, or directly to me).  (k)

(1) Re: "This is based only on a quick reading, but IMO a key concept in tokenization is the process that is necessary to support it. 

There are indeed processes required for tokenization.  To the extent a given Community wants to leverage aggregated Tokenization for Industry/Sector and/or common shared Adversary TTP analysis/correlation, then they need to share common tokenization methods.   An updated notional Tokenization Table framework is included below:


Image

However, regardless of whether or not one subscribes to these notions, the CTI language itself needs to allow us to identify Objects as Tokenized.  The Namespace, Ref ID, and Version the Tokenization Tables (again refer to the notional Tokenization Table.  Note that we need to be able pass any TLO as a Tokenized Value.  I can elaborate on these Use Cases if required.

(2) Re: "It seems that the tokenization concept requires a system/process for mapping tokenized values back to the sensitive data element."
 
No, not for the primary Tokenization scenarios outlined.  I can perform analytics on the Tokens as Categorical variables.  "Pre"-Tokenization through a common shared algorithm actually makes this Analytics process easier for all participants. 

Image

The place where one "requires a system/process for mapping tokenized values back to the sensitive data element." Is the "hiding in plain sight" Use Case where one is obfuscating the real values in transit.  Again, we would want/need to ensure all parties know that the values contained are obfuscated.  But only the parties with "Need to Know" or "Right to Know" need to share the process, tables, keys, etc.


Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org




On Mon, Apr 4, 2016 at 5:11 AM -0700, "Mark Davidson" <mdavidson@soltra.com> wrote:

FWIW, the data security version of tokenization [1] is very different from the computer programming concept of tokenization [2].

I think we can add it as an item to track and vote on. This will make things a little messier to track for John – maybe we have a section for things that were added after the initial request?

This is based only on a quick reading, but IMO a key concept in tokenization is the process that is necessary to support it. It seems that the tokenization concept requires a system/process for mapping tokenized values back to the sensitive data element.

I would vote non-MVP on tokenization. The keystone of my opinion is that I haven’t seen evidence that tokenization is needed for STIX 2.0 to be viable. I understand the goal, but I personally haven’t heard anyone say that they can't use STIX 2.0 unless it has tokenization. My understanding is nascent and I could change my vote if enough evidence is provided that STIX 2.0 is not viable without tokenization. 

Thank you.
-Mark


From: <cti@lists.oasis-open.org> on behalf of JG on CTI-TC <jg@ctin.us>
Date: Sunday, April 3, 2016 at 11:27 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Gap Analysis

Patrick/Bret & All:

Where would the issue of Tokenization fit into the MVP list?

 See attached.

Jane

On 4/3/2016 4:36 PM, Jordan, Bret wrote:
Thanks... And yes, the more eyes we can have on this the better..  As you find stuff that is missing, please speak up so we can add it to the list. 

Step 1: Identify gaps and decide on MVP items 

Step 2: Triage the MVP items and build a plan to finish 2.0 MVP


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Apr 3, 2016, at 16:30, Patrick Maroney <Pmaroney@Specere.org> wrote:

In reviewing the draft specifications, we still have not addressed a few of the key gaps in the prior standards.  One of particular interest is "fixing" Targets/Victims as TLOs.  Please add this item to the Gap Analysis discussions.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org




On Sun, Apr 3, 2016 at 12:45 PM -0700, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

All,

Early this week I will be working with Rich P and John Wunder on a Gap Analysis between what we have right now in the pre-draft specs for 2.0 and what is in STIX 1.2.  This should help the MVP discussion and give greater clarity to the community about where things are at and where they are going.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 



-- 
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]