[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Intel note and opinion
Hey all, I do think we need to get to a ballot so that we can just move on…the problem is that even if this is bikeshedding we need some basis on which to make a decision. Sarah and I can’t just
say that it’s two objects because we like that approach…that’s not our role. And so even for things like this we need to get to a community decision in some direction. One of the reasons why I wanted to ask on the list is to hear from new people…if opinion
clearly went in one direction or the other that would be our answer. It doesn’t seem like that’s the case here, so I think after giving people another day to comment I agree w/ Terry that we should probably just open a ballot so we can close this topic and
move on to other things. Along those lines, it would help for the ballot if those that think the object should be merged can come up with a solid proposal including normative text for the merged object (put it
in the working doc). Then we have two complete options to weigh when we open the ballot. Thanks, John From:
<cti@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com> I vote for Option #1, followed by #2. I disagree completely
with Option #3, and here is why.... My goal with my Opinion object suggestion When I created the Opinion object, I simply wanted a way for members of a group to agree or disagree with what one of the other members had asserted. In STIX 1.x and 2.0, there was no real way for people to explicitly disagree with each
other. So I proposed that we add the Opinion object. In the normal course of operation, Organisations release SDOs and SROs that represent assertions of what that Organisation believes to be the truth. The Opinion object allows a different Organisation to provide an opinion about the assertions
that the original Organisation has made i.e. it allows public explicit feedback to be given. This is extremely important for two reasons: 1. Many Organisations have limited visibility of disagreements with threat intel. They just see the vendor produced reports saying things like "this is definitely APT99". They miss the fact that there is often disagreements about the 'right'
answer. If we improve the visibility of these disagreements by including them in STIX, we enable recipients to make better judgements. 2. It is up to each recipient/consumer to determine what they believe is the truth. To do this more effectively, and truly understand what the security community thinks, they need to be able to see the disagreements. An opinion is NOT a vote as some have proposed. A vote implies that it is part of an election, and that there is effectively a mechanism for a 'winner' to be declared within the community. This is absolutely NOT what I envisaged
when I suggested this object. A community cannot have an overall winning threat intel answer. Each member of that community has different goals, risk appetites, response abilities and skilled staff. What constitutes a threat is different for each recipient.
This in turn means that voting is not an option. The Opinion object is simply a way of allowing people to share their opinion, nothing more. Each recipient of that Opinion then needs to determine FOR ITSELF which opinion it will trust, and thereby which assertions it trusts. The recipient
Organisations should use this information along with other factors to normalise the threat intel that they receive to ensure that the threat intel feeds are treated in accordance with how much they trust the data within them. By which I mean if the producer
thinks its intel is high confidence but the recipient thinks its actually low confidence, then that translation/scaling should happen within each Organisations platform. The Opinion's description field will allow recipients to better understand the reasoning behind the opinion the producer is sharing. A simple 'strongly disagree' won't help them as much, as they won't be able to try to understand the reasoning
behind the disagreement. How I view the Intel Note An intel note is exactly that. Its a generic place to put notes when there isn't another place to add them. It is an assertion of some information that doesn't fit into any of the other SDOs. I personally believe it should be renamed to
Note, to help show its general nature. Similar structures doesn't mean they're similar objects Combining the objects (Option #3) is completely the wrong direction to go as it assumes that similar fields means that the object should be the same. A Note is an assertion you are making. An Opinion is an opinion about someone else's assertion. The fact that their structure may be similar DOES NOT make them the same thing. And lastly.... We need to have a poll to determine which of the three options is supported by the majority of the CTI members rather than continue to go round and round the houses, and move on. We've got a lot of work to do.
Cheers Terry MacDonald | Chief Product Officer On Wed, Apr 12, 2017 at 12:02 PM, Allan Thomson <athomson@lookingglasscyber.com> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]