OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion


Yes you can still do your searches, since you can look for an  object that has the Opinion property filled out. 


In addition to this being two ways of doing things, there is a whole Slack history discussion about the problems this created for products. The reality is that a Note and an Opinion capture the same things.  


Bret


From: Reller, Nathan S. <Nathan.Reller@jhuapl.edu>
Sent: Tuesday, April 11, 2017 2:25:28 PM
To: Wunder, John A.; richard.shok@usbank.com; Bret Jordan; cti@lists.oasis-open.org; Jason Keirstead
Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion
 

Thanks for the links!

 

It seems like the argument is that a Note can store generic text, and users can infer an opinion inside a Note while reading the text. Therefore there are two ways to document an opinion. The first is to create a Note SDO and document opinion there, and the second option is to create an Opinion and document there. Since there are two ways then that implies it is confusing for user, and we should drop Opinion.

 

1. While there are two ways to record the same information I’m not sure that it will be confusing to users. If the GUI presented an option to store a Note or an Opinion in relation to another SDO then I think most users would quickly grasp that an Opinion contains an opinion metric and text field to help justify that opinion while a Note is for free form text.

 

2. If users cannot grasp that concept then we have trouble. Since Note is so generic then almost any type could be made into a Note. A Report for example could be stored in a Note. The user could type in the same information found in a Report into a Note SDO and users could infer from the content that this note is describing a report and not an opinion or some other type of note.

 

3. There can also be some added value by having the different types. We can search for Notes or Opinions without having to understand the semantics of the strings. If we combine into one type then there will not be a way for me to search for all Opinions by a certain person.

 

-Nate

 

 

From: "Wunder, John A." <jwunder@mitre.org>
Date: Tuesday, April 11, 2017 at 2:59 PM
To: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "richard.shok@usbank.com" <richard.shok@usbank.com>, Bret Jordan <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion

 

They’re in google docs:

 

-          Intel note: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc
-          Opinion: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq

 

The definitions for both could be edited, they’re still in development, and obviously if we merge them or remove the description from opinion they would need to be updated.

 

From: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>
Date: Tuesday, April 11, 2017 at 2:02 PM
To: "richard.shok@usbank.com" <richard.shok@usbank.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John Wunder <jwunder@mitre.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion

 

I’m sorry if this is documented anywhere. I’m still catching up. What is the definition or description for a note? When can it be used?

 

-Nate

 

 

From: <cti@lists.oasis-open.org> on behalf of "richard.shok@usbank.com" <richard.shok@usbank.com>
Date: Tuesday, April 11, 2017 at 1:53 PM
To: Bret Jordan <Bret_Jordan@symantec.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Wunder, John A." <jwunder@mitre.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion

 

I agree with Jason and Bret on this as well.

Rich Shok
U.S. Bank - Information Security Services
Threat Intelligence & Automation
612.973.7185 - Office
richard.shok@usbank.com




From:        Bret Jordan <Bret_Jordan@symantec.com>
To:        Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Wunder, John A." <jwunder@mitre.org>
Cc:        "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date:        04/11/2017 11:54 AM
Subject:        [cti] Re: [EXT] Re: [cti] Intel note and opinion
Sent by:        <cti@lists.oasis-open.org>





I completely agree with Jason here.  This is two ways of doing the same thing.  If we keep these as two objects, we are going to utterly confuse people to no end.  Further, when you start writing a UI for this, and having people play with it, you begin to see the problem very quickly.  They ask questions like, "which do I use?"  "They both contain the same thing, but the "Opinion" object lets me express an my view of it, but my 'note' is also my assertion that I agree with it, so which do I use?".

Notes either back up and confirm someones point of view or they show that the point of view is wrong.  Which is the SAME thing that we are doing with the Opinion object. The Opinion object makes this explicit and the Note you would have to figure out from reading the text.  

We promised ourselves that we would not go back to STIX 1.x ways of doing things and have two ways of doing the same thing.  Lets us please not start.  A note is really just an Opinion with no explicit opinion stated.

Bret



From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent:
Tuesday, April 11, 2017 5:38:02 AM
To:
Wunder, John A.
Cc:
cti@lists.oasis-open.org
Subject:
[EXT] Re: [cti] Intel note and opinion

 
I have a very strong opinion either #2 or #3 must  be done, and that #1 is not workable.

In order to fully understand why, you have to consider the entire life-cycle of the objects - from production in one piece of software, to consumption and storage/display in another. You also have to understand that, at their core, both of these objects are objects are things that originate from humans, and carry human-entered facts about an object (either as human-entered text, or as "opinion", or other). Finally, you have to understand that the folks writing STIX software do not normally expose the data model to the operators/analysts.... operators and analysts should not be seeing "note", or "opinion", or any other names of objects in most software that deals with STIX, it should be totally abstracted away. The analysts should not know or care about this.


In any piece of software dealing with creating CTI by humans, one can imagine you will have to have some UI where one would enter these "things", and in any piece of software dealing with displaying CTI to humans, one can imagine you will have to have some UI where one will display these "things". If we have two different objects, then you can immediately see how this presents a problem for the software creators


- Consider the producer software When someone wants to simply enter text - which object do I encode it as in STIX? Since both can convey the information, it is totally ambiguous which to use - out of the gate, we are now at "two ways to do one thing", something we said we are trying to get away from in STIX 2. What if they enter text, it gets encoded as a "note", and then later on the same user goes in and and add an "opinion" flag? Should I revoke the "note" object and add an "opinion" object? Leave it and issue an "opinion" and duplicate all the text? Again, totally ambiguous. This points to the fact that these two things are different ideas - voting and commenting - and should be kept fully separate (#2)


- Consider now the consumer software. Any piece of consumer software who is going to  display notes and opinions to a user is going to want to have some kind of comment-trail.. some type of timeline. It will simply not be possible to construct this comment trail without unionizing these two objects and treating them as one... as viewing a timeline of "note" without including "opinion", or vice-versa, will have the potential to leave a large number of human-created comments dropped on the floor.  I can't reasonably see any valid use case to have software where one shows a set of "opinion" without including "note", or vice-versa. This again points to the fact that you need a single source of truth for a comment timeline... either option #2, or option #3 alternatively.


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown





From:        
"Wunder, John A." <jwunder@mitre.org>
To:        
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date:        
04/10/2017 05:30 PM
Subject:        
[cti] Intel note and opinion
Sent by:        
<cti@lists.oasis-open.org>





Hey everyone,

After a lot of conversation on intel note and opinion, we’ve narrowed down a lot of the questions on these two objects but have one big one remaining. Specifically, with both intel note and opinion existing as separate objects a few people (notably Jason and Bret) have noted that there may be overlap and in fact the objects should be merged into one. The thinking is that giving an opinion is essentially the same as giving extra analysis about something (or is at least handled the same way most of the time) and having two separate objects will be confusing for people. So, here’s how I would outline the questions:


1.       Should opinion and intel note remain separate objects?
a.       Merging them would provide a single object to provide a simple opinion on a scale (agree/disagree), an opinion on a scale with a text explanation (agree and here’s why), and added analysis w/ no opinion scale (here’s extra info about this object).
b.       Separating them would distinguish providing an opinion (agree/disagree) from providing extra analysis
2.       If we go with option b and we have two separate objects, should opinion have an optional description field?
a.       Having a description on opinion keeps all information about the opinion in a single object.
b.       Not having a description on opinion would mean that opinions are just the agree/disagree statements. People would use the intel note object to capture their explanation and therefore all text commentary would be provided by intel note.

It seems like the key thing people are wrestling with is whether there’s a distinction between giving extra analysis or context to something and giving an opinion about something. I.e., when people are doing shared analysis is it important to distinguish me providing an opinion on your object (agree/disagree/neutral) from me adding extra context (human-readable notes) to your data?

So, combining those questions, we have three options:

1.       Opinion and intel note are separate objects, and opinion has a description. To have a text explanation of an opinion, you would use the description field on the opinion object.
2.       Opinion and intel note are separate objects, and opinion does not have a description. To have a text explanation of an opinion, you would use an intel note and link it to the opinion.
3.       Opinion and intel note are merged (likely calling it intel note, since not all of them would be opinions) and you would use that object to describe opinions, opinions w/ descriptions, and added analysis

People can reply with their reasoning and pros/cons, but I’m particularly interested in hearing people who have not chimed in yet. What is your preferred option? Any thoughts on the reasoning?


FYI, here are the latest working versions of intel note and opinion, in Google Docs. These are roughly option #1, based on the recent working call and a poll in Slack.

-          Intel note:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc
-          Opinion:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq

My own opinion (sorry I know this pun is getting old) is that giving an opinion is distinct from adding analyst notes or extra context and therefore I prefer #1. My second choice would be #2, because I think #3 results in an ambiguous object that does too many things and can have completely orthogonal sets of fields, which to me is an indication that it really should be two objects.

Thanks,
John






U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

---------------------------------------------------------------------



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]