I also agree with Jason, having two separate objects will muddy the water for implementation.
Best Regards, Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 808 Winslow St Redwood City, CA 94063 Phone: (650) 257-0867 | Twitter: @anomali
I have a very strong opinion either #2
or #3 must be done, and that #1 is not workable.In order to fully understand why, you
have to consider the entire life-cycle of the objects - from production
in one piece of software, to consumption and storage/display in another.
You also have to understand that, at their core, both of these objects
are objects are things that originate from humans, and carry human-entered
facts about an object (either as human-entered text, or as "opinion",
or other). Finally, you have to understand that the folks writing STIX
software do not normally expose the data model to the operators/analysts....
operators and analysts should not be seeing "note", or "opinion",
or any other names of objects in most software that deals with STIX, it
should be totally abstracted away. The analysts should not know or care
about this.In any piece of software dealing with
creating CTI by humans, one can imagine you will have to have some UI where
one would enter these "things", and in any piece of software
dealing with displaying CTI to humans, one can imagine you will have to
have some UI where one will display these "things". If we have
two different objects, then you can immediately see how this presents a
problem for the software creators- Consider the producer software When
someone wants to simply enter text - which object do I encode it as in
STIX? Since both can convey the information, it is totally ambiguous which
to use - out of the gate, we are now at "two ways to do one thing",
something we said we are trying to get away from in STIX 2. What if they
enter text, it gets encoded as a "note", and then later on the
same user goes in and and add an "opinion" flag? Should I revoke
the "note" object and add an "opinion" object? Leave
it and issue an "opinion" and duplicate all the text? Again,
totally ambiguous. This points to the fact that these two things are different
ideas - voting and commenting - and should be kept fully separate (#2)- Consider now the consumer software.
Any piece of consumer software who is going to display notes and
opinions to a user is going to want to have some kind of comment-trail..
some type of timeline. It will simply not be possible to construct this
comment trail without unionizing these two objects and treating them as
one... as viewing a timeline of "note" without including "opinion",
or vice-versa, will have the potential to leave a large number of human-created
comments dropped on the floor. I can't reasonably see any valid use
case to have software where one shows a set of "opinion" without
including "note", or vice-versa. This again points to the fact
that you need a single source of truth for a comment timeline... either
option #2, or option #3 alternatively.- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security| www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From:
"Wunder, John
A." <jwunder@mitre.org>To:
"cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>Date:
04/10/2017 05:30 PMSubject:
[cti] Intel
note and opinionSent by:
<cti@lists.oasis-open.org> Hey everyone, After a lot of conversation on intel note
and opinion, we’ve narrowed down a lot of the questions on these two objects
but have one big one remaining. Specifically, with both intel note and
opinion existing as separate objects a few people (notably Jason and Bret)
have noted that there may be overlap and in fact the objects should be
merged into one. The thinking is that giving an opinion is essentially
the same as giving extra analysis about something (or is at least handled
the same way most of the time) and having two separate objects will be
confusing for people. So, here’s how I would outline the questions: 1. Should opinion
and intel note remain separate objects?a. Merging them would
provide a single object to provide a simple opinion on a scale (agree/disagree),
an opinion on a scale with a text explanation (agree and here’s why),
and added analysis w/ no opinion scale (here’s extra info about this object).b. Separating them
would distinguish providing an opinion (agree/disagree) from providing
extra analysis2. If we go with option
b and we have two separate objects, should opinion have an optional description
field?a. Having a description
on opinion keeps all information about the opinion in a single object.b. Not having a description
on opinion would mean that opinions are just the agree/disagree statements.
People would use the intel note object to capture their explanation and
therefore all text commentary would be provided by intel note. It seems like the key thing people are
wrestling with is whether there’s a distinction between giving extra analysis
or context to something and giving an opinion about something. I.e., when
people are doing shared analysis is it important to distinguish me providing
an opinion on your object (agree/disagree/neutral) from me adding extra
context (human-readable notes) to your data? So, combining those questions, we have
three options: 1. Opinion and intel
note are separate objects, and opinion has a description. To have a text
explanation of an opinion, you would use the description field on the opinion
object.2. Opinion and intel
note are separate objects, and opinion does not have a description. To
have a text explanation of an opinion, you would use an intel note and
link it to the opinion.3. Opinion and intel
note are merged (likely calling it intel note, since not all of them would
be opinions) and you would use that object to describe opinions, opinions
w/ descriptions, and added analysis People can reply with their reasoning and
pros/cons, but I’m particularly interested in hearing people who have
not chimed in yet. What is your preferred option? Any thoughts on the reasoning? FYI, here are the latest working versions
of intel note and opinion, in Google Docs. These are roughly option #1,
based on the recent working call and a poll in Slack. - Intel
note: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc- Opinion:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq My own opinion (sorry I know this pun is
getting old) is that giving an opinion is distinct from adding analyst
notes or extra context and therefore I prefer #1. My second choice would
be #2, because I think #3 results in an ambiguous object that does too
many things and can have completely orthogonal sets of fields, which to
me is an indication that it really should be two objects. Thanks,John
|