OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] [EXT] [cti] STIX action items for the full TC call on 6/15/17


Fair enough.  Good, reasoned response.

Thanks Rich.

Patrick Maroney
Principal Engineer - Data Science & Analytics
Wapack Labs LLC
(609)841-5104


On Jun 15, 2017, at 3:38 PM, Struse, Richard J. <rjs@mitre.org> wrote:

Pat,

 

In the case of machine-generated “opinions” about CTI objects, it may not always be possible to have a useful prose description.  I could also imagine cases where humans may want to disagree with an object but are not at liberty to explain why right now.  In practice I think you will see people using the description – I don’t think making it required would make much of a difference.

 

Rich

 

From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <pmaroney@wapacklabs.com>
Date: Thursday, June 15, 2017 at 3:32 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Cc: Bret Jordan <Bret_Jordan@symantec.com>, "Werntz, Preston" <Preston.Werntz@HQ.DHS.GOV>, Sarah Kelley <Sarah.Kelley@cisecurity.org>, Allan Thomson <athomson@lookingglasscyber.com>
Subject: Re: [cti] [EXT] [cti] STIX action items for the full TC call on 6/15/17

 

Note that the following are not strongly held views, but want to provide requested responses to the proposed Opinion Object:

 

(1) If I'm going to challenge the assertions of another Analyst/Organization, then I believe that some narrative basis for my counter-assertions should be "Required".  Therefore, this description should not be optional.

 

(2) Arguing for attribution of one challenging someone's assertion is a slippery slope, so will defer to consensus on this point.

 

(3) Perspectives on "Scales" previously expressed.

 

Patrick Maroney

Principal Engineer - Data Science & Analytics

Wapack Labs LLC

(609)841-5104

 

 

On Jun 15, 2017, at 9:04 AM, Allan Thomson <athomson@lookingglasscyber.com> wrote:

 

Name is the summary of the note.

 

If the note is verbose content then having a short ‘name’ (or summary) is very useful.

 

Its akin to having a subject line in an email vs having to read the entire email to understand the summary of the email.

 

Its an optional parameter that hardly breaks anything and adds value to certain use cases.

 

I don’t believe we should exclude parameters when others are suggesting it adds value to their use cases.

 

CTO

+1-408-331-6646

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Wednesday, June 14, 2017 at 5:18 PM
To: "Werntz, Preston" <Preston.Werntz@HQ.DHS.GOV>, Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] [cti] STIX action items for the full TC call on 6/15/17

 

For opinion, I am still concerned about the scale.  I think we are leaning towards an open-vocab or ENUM of values. But I am not sure we have the fully consensus of the TC on this. Yes it has been discussed on several working calls, but that is just a subset of this whole group.  Opinion also does not have the ability to link against a specific version of an object. So you may issue an opinion but the object may have been updated and your opinion is no longer valid.  Further, I really worry that we do not have digital signatures yet. I think supporting the Opinion object before digital signatures is like putting the cart before the road. 

 

For note, I do not agree with having a "name" on the note. I do not think it makes sense to have a "name" for a note. 

 

Bret


From: Werntz, Preston <Preston.Werntz@HQ.DHS.GOV>
Sent: Wednesday, June 14, 2017 2:55:35 PM
To: Bret Jordan; Sarah Kelley; cti@lists.oasis-open.org
Subject: RE: [EXT] [cti] STIX action items for the full TC call on 6/15/17

 

Bret –

On the DHS side, we’ve been looking forward to Opinion in STIX 2.1 to help with our goal of implementing automated feedback in the Automated Indicator Sharing (AIS) initiative, so I’d like to hear your concerns on what questions remain as that may help us think through ways to implement in AIS. Thanks!  

 

W. Preston Werntz

Chief, Technology Services Section

National Cybersecurity and Communications Integration Center (NCCIC)

Department of Homeland Security

 

 

 

 

From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Bret Jordan
Sent: Wednesday, June 14, 2017 3:16 PM
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>; cti@lists.oasis-open.org
Subject: [cti] Re: [EXT] [cti] STIX action items for the full TC call on 6/15/17

 

While I think note/intel-note and opinion are making progress, I personally do not feel like they are done enough to add to the 2.1 documents.  I think there are several unanswered questions.  I think they need some more time and discussion before they are done. 

 

Bret

 


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Sent: Wednesday, June 14, 2017 11:18:51 AM
To: cti@lists.oasis-open.org
Subject: [EXT] [cti] STIX action items for the full TC call on 6/15/17

 

On tomorrow’s working call, we will be addressing several topics that need TC consensus for moving forward with STIX 2.0 and STIX 2.1. In preparation for the meeting, please review the following:

 

STIX 2.0:

  • The second open comment period for STIX 2.0 has closed. The suggested changes have been addressed on working calls, and the current decision on each item has been documented in the following spreadsheet: https://docs.google.com/spreadsheets/d/1YOPONeKzc6Uu1A1MS3WkICG26LKLQOWdr-KBDzM8K6Y/edit#gid=5055878
  • The TC needs to fully approve these changes before we can consider STIX 2.0 CSD to be done. There were no substantive changes made during this comment period, so if the TC agrees to the decisions documented in the spreadsheet above, we can vote to move forward from a Committee Specification Draft (CSD) to a Committee Specification (CS).
  • ACTION ITEM: Please review the spreadsheet. If you have any objections to the decisions as listed, please comment either on the list or at the full TC meeting tomorrow. Lack of comment is considered to be agreement.

 

STIX 2.1

  • Intel Note is ready to be moved from the STIX Working Document to the STIX 2.1 Specification Document. As such, we agreed to open each item up for approval of the full TC. The current proposal is located here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.s5l7katgbp09
  • ACTION ITEM: Please review this proposal. If you have any objections to the proposal as written, please comment either on the list or at the full TC meeting tomorrow. Lack of comment is considered to be agreement with the proposal as written.
  • Opinion is ready to be moved from the STIX Working Document to the STIX 2.1 Specification Document. As such, we agreed to open each item up for approval of the full TC. The current proposal is located here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq
  • ACTION ITEM: Please review this proposal. If you have any objections to the proposal as written, please comment either on the list or at the full TC meeting tomorrow. Lack of comment is considered to be agreement with the proposal as written.

 

 

The deadline for feedback/comments is Saturday June 17th. This will allow us to open a CS ballot next week.

 

 

Thanks,

 

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

       <image002.png>    <image003.png>   <image004.png>    <image005.png>

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. 

. . . . . 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]