cti message

Subject: Re: [cti] Re: [EXT] [cti] Embedded Relationships

From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
To: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>
Date: Thu, 4 May 2017 15:10:03 -0300

> Could you further explain this? I don’t understand how something can be a TAXII server but not have a historical database.
> I feel that it must have some repository/database of information to store the POSTed objects temporarily until a TAXII client
> does a GET request. Otherwise where do you get the STIX objects that are used in steps 4 and 6 above? A proxy I get,
> but that is really just a middle-man between a real TAXII server.

Again, you are assuming that people are always occupying the "repository" persona. There are many personas for TAXII, not all of which store data. I highly suggest you take a look at the personas defined in the Interoperability Subcommittee's use case specification - https://docs.google.com/document/d/1l54RhjxwuXrZUQ19zIHUiZ7_c6otbLbVVfluKJogU7s/edit#heading=h.4do73o99e2l7

Just because you POST TAXII information to me, does not mean you can then later GET that same information from me, because I may not be acting as any kind of repository. I may not even have a TAXII "read" facility at all, and only accept POSTs to a channel or collection, and all GETs against the channel or collection return empty all the time. A use case for this may be a device that wants to expose a TAXII collection or channel to allow people to submit CTI to it to trigger some action, such as adding something to a watch list or launching a remediation. As such, I have no need to store this information at all, anywhere.

Or, to flip it around, I may offer a read-only view of a channel or collection and not anyone to ever POST anything to it at all. A use case for this might be a proxy device that exposes live sighting information on a channel or collection. This information would all be read-only, live, streaming data from the device.... there is no repository, and if you go back to that device in an hour those objects wouldn't even exist on it anymore.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown

Follow-Ups:
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>

References:
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: Bret Jordan <Bret_Jordan@symantec.com>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: Allan Thomson <athomson@lookingglasscyber.com>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: Terry MacDonald <terry.macdonald@cosive.com>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti] Re: [EXT] [cti] Embedded Relationships
  - From: "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>