cti message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti] Re: [EXT] [cti] Embedded Relationships
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>
- Date: Thu, 4 May 2017 15:10:03 -0300
> Could you further explain this? I don’t
understand how something can be a TAXII server but not have a historical
database.
> I feel that it must have some repository/database
of information to store the POSTed objects temporarily until a TAXII client
> does a GET request. Otherwise where
do you get the STIX objects that are used in steps 4 and 6 above? A proxy
I get,
> but that is really just a middle-man
between a real TAXII server.
Again, you are assuming that people
are always occupying the "repository" persona. There are many
personas for TAXII, not all of which store data. I highly suggest you take
a look at the personas defined in the Interoperability Subcommittee's use
case specification - https://docs.google.com/document/d/1l54RhjxwuXrZUQ19zIHUiZ7_c6otbLbVVfluKJogU7s/edit#heading=h.4do73o99e2l7
Just because you POST TAXII information
to me, does not mean you can then later GET that same information from
me, because I may not be acting as any kind of repository. I may not even
have a TAXII "read" facility at all, and only accept POSTs to
a channel or collection, and all GETs against the channel or collection
return empty all the time. A use case for this may be a device that wants
to expose a TAXII collection or channel to allow people to submit CTI to
it to trigger some action, such as adding something to a watch list or
launching a remediation. As such, I have no need to store this information
at all, anywhere.
Or, to flip it around, I may offer a
read-only view of a channel or collection and not anyone to ever POST anything
to it at all. A use case for this might be a proxy device that exposes
live sighting information on a channel or collection. This information
would all be read-only, live, streaming data from the device.... there
is no repository, and if you go back to that device in an hour those objects
wouldn't even exist on it anymore.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]