OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [Non-DoD Source] Re: [cti] Re: Moving content out of CTI-Common


There are two ways that I can see versioning being useful in CybOX, but I'd be interested in additional use cases.

The first is fairly simple, someone fat-fingers or incorrectly sends out information about an object.  For example, they incorrectly put out the wrong IP Address.  We need a way to say that there is a newer version of this object that corrects that mistake.  Since everything is connected through relationships, rather than embedding, it would seem that we would need a way to update a version of the object itself.

The second use case, is when an organization gains additional information about an object.  This is fairly common.  A malware analysis team may consistently rerun its toolset against their malware repository to see if any new appliances that have been added to their tools results in additional information being pulled out.  It would be useful to send out that new information as a new version of the same object.  Not being able to version the object might result in someone thinking that there were two instances of the same object, rather than a newer version of the object.

-Gary

-----Original Message-----
From: John-Mark Gurney [mailto:jmg@newcontext.com] 
Sent: Wednesday, April 06, 2016 7:11 PM
To: Kirillov, Ivan A.
Cc: Jordan, Bret; Katz, Gary CTR DC3/DCCI; cti@lists.oasis-open.org; Chet Ensign (chet.ensign@oasis-open.org)
Subject: [Non-DoD Source] Re: [cti] Re: Moving content out of CTI-Common

Kirillov, Ivan A. wrote this message on Wed, Apr 06, 2016 at 18:59 +0000:
> It seems like this topic often boils down to questions around versioning, patterning, and data markings and whether they should be part of CybOX.
> 
> A few thoughts from my perspective:
> 
>   *   Versioning: this is something that I don’t see the purpose of for CybOX. If CybOX is a representation of some cyber “fact”, what does it mean to version a fact? Wouldn’t that just be a different fact altogether?

I agree...

>   *   Patterning: originally we wanted to move this out of CybOX to simplify the CybOX Object model and its underlying serialization. Given that we’re now pushing towards a domain specific patterning language, one with heavy ties to the CybOX Object model, I don’t see why this patterning language can’t live as a component of CybOX. Personally, I think it would make sense to define this as a separate work product (I.e., the “CybOX Patterning Language”), apart from the CybOX language.

There is addition information in STIX that isn't in cybox that is needed, i.e. the time of the Observation..  we'd have to make CybOX a full fledge object for the patterning to be entirely contained as part of CybOX.

--
John-Mark


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]