OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Location as a Top-Level SDO



A lot of conversations have been happening over email and on slack regarding whether location should be an SDO or a property embedded on other SDOs. It appears that several new uses cases have appeared and tipped the scales in favor of it being an SDO, and several people have shifted their opinions. The current proposal for it as a separate SDO is located here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.4mmu2llmy610


Is there anyone here that is still in favor of it being an embedded property?


We’re trying to gauge where the group stands in terms of consensus on this issue. For the moment, try to separate out this particular question from the “what are the rules for making something its own SDO?” question, as this is still an ongoing discussion and more information on that topic will likely be forthcoming.





Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061




24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722




From: <cti@lists.oasis-open.org> on behalf of "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
Date: Tuesday, June 13, 2017 at 12:50 PM
To: Richard Struse <rjs@mitre.org>, Nicholas Hayden <nhayden@anomali.com>, "Wunder, John A." <jwunder@mitre.org>
Cc: Patrick Maroney <pmaroney@wapacklabs.com>, Bret Jordan <Bret_Jordan@symantec.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com>, CTI OASIS GROUP <cti@lists.oasis-open.org>, "Back, Greg" <gback@mitre.org>, "Nathan S. Reller" <Nathan.Reller@jhuapl.edu>
Subject: RE: [cti] [EXT] [cti] Location as a Top-Level SDO


This is an instance of a general design concern(embedded or not) throughout the spec and I look forward to Rich’s document to help our discussion.


Marlon Taylor
Technology Services Section
National Cybersecurity & Communications Integration Center (NCCIC)
U.S. Department of Homeland Security


From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Struse, Richard J.
Sent: Tuesday, June 13, 2017 8:52 AM
To: Nicholas Hayden <nhayden@anomali.com>; Wunder, John A. <jwunder@mitre.org>
Cc: Patrick Maroney <pmaroney@wapacklabs.com>; Bret Jordan <Bret_Jordan@symantec.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>; John-Mark Gurney <jmg@newcontext.com>; CTI OASIS GROUP <cti@lists.oasis-open.org>; Back, Greg <gback@mitre.org>; Nathan S. Reller <Nathan.Reller@jhuapl.edu>
Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO


I am working on a document that lays out the thinking on this and other design issues.


From: <cti@lists.oasis-open.org> on behalf of Nicholas Hayden <nhayden@anomali.com>
Date: Tuesday, June 13, 2017 at 8:47 AM
To: "Wunder, John A." <jwunder@mitre.org>
Cc: Patrick Maroney <pmaroney@wapacklabs.com>, Bret Jordan <Bret_Jordan@symantec.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com>, CTI OASIS GROUP <cti@lists.oasis-open.org>, "Back, Greg" <gback@mitre.org>, "Nathan S. Reller" <Nathan.Reller@jhuapl.edu>
Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO


Can we derive a "Go No GO” checklist for SDO’s?  This might help us in resolving this and to John’s point future scenarios.  My proposal is we clearly define what the characteristics are which “Qualifies” something that needs to be an SDO.  So for example does it requiring versioning “Yes” ok thats a +1 toward making it an SDO.



Best Regards, 
Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 

Director of Engineering Anomali | anomali.com

808 Winslow St Redwood City, CA 94063

Phone: (650) 257-0867 | Twitter: @anomali



On Jun 12, 2017, at 4:12 PM, Wunder, John A. <jwunder@mitre.org> wrote:


Yeah +1 to Pat…we’re a CTI org, let’s not maintain a database of geolocations.


More generally I also agree w/ Allan that this doesn’t really impact the SDO question. Either you:


  • Have the library and duplicate it in the embedded types
  • Have the library and reference it by UUID (if we generate STIX UUIDs for it)
  • Have the library and copy it into the referenced types (if we don’t generate UUIDs for it)


It would be nice to enumerate these types of scenarios and see how we can deal with each of them in each approach. I talked to Allan and I think he has the beginnings of that document started, I’ll get with him to push it to Google docs so we can all look over it.




From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <pmaroney@wapacklabs.com>
Date: Monday, June 12, 2017 at 3:16 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Greg Back <gback@mitre.org>, "Nathan.Reller@jhuapl.edu" <Nathan.Reller@jhuapl.edu>
Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO


My .02:  If we're building, publishing, maintaining our own Geo-Location Data, we're doing something wrong.  This is one wheel we do not need to re-invent...again just my .02.


Patrick Maroney

Principal Engineer - Data Science & Analytics

Wapack Labs LLC




On Jun 11, 2017, at 11:58 PM, Bret Jordan <Bret_Jordan@symantec.com> wrote:


So if we were going to do this, we would probably need to build a library of locations by country and regions and publish them as a Committee Note and hope people just use the them for locations at the granularity of a country or group of countries. 



From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Sunday, June 11, 2017 7:35:18 PM
To: jmg@newcontext.com
Cc: Bret Jordan; cti@lists.oasis-open.org; gback@mitre.org; Nathan.Reller@jhuapl.edu
Subject: Re: [cti] Re: [EXT] [cti] Location as a Top-Level SDO


You are assuming that we don't create a repository of "standard" location SDOs for things like continent and country names - IE the things that people would want to share in the first place. Which, I don't see why we would not do this, seeing how we're doing it for things like CAPEC.


Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

Without data, all you are is just another person with an opinion - Unknown



----- Original message -----
From: John-Mark Gurney <jmg@newcontext.com>
Sent by: <cti@lists.oasis-open.org>
To: "Back, Greg" <gback@mitre.org>
Cc: Bret Jordan <Bret_Jordan@symantec.com>, "Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] [cti] Location as a Top-Level SDO
Date: Fri, Jun 9, 2017 8:36 PM

Back, Greg wrote this message on Fri, Jun 09, 2017 at 20:18 +0000:
> If Location is an SDO, does that make it possible to “move” another object by versioning the Location object? That seems like a bad idea. Especially if you effectively “move” other, unrelated objects that also refer to the same Location. Even if we did make Location a TLO, we would have to mandate that people update the “_ref” fields to move an SDO, not the Location itself.

> (I haven’t made up my mind on whether I like the Location SDO in general, just pointing out one consideration).

Interesting point.  Which effectively means that if you create a
relationship to a location, that location should be one you own, not
one that was created by someone else (unless you can trust the creator
not to do what you just described)...

This means that by definition, there will be many Location SDO's for
the same location to prevent this from happeneing...


To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:



--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]