OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [EXT] Re: [cti] Roadmap discussion and update


We do not yet finished malware.  It is getting close to a solid initial proposal, but that will then need to be vetted by the community and the vendors that are going to implement it.  I feel like we are going down a dangerous path of we want this release out at this time.  And if things like Malware are not fully done, we will just cut functionality or features to make sure "something" gets put in to the release. 


Bret


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Tuesday, August 8, 2017 2:17:32 PM
To: cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Roadmap discussion and update
 

I was going to respond as well but Allan said pretty much exactly what I would have, so I’ll just second his statement. We said we would aim for a complete release with 2.1, and IMO what we have in confidence, i18n, location, malware, and IEP in particular are big steps forward and justify sticking to our release.

 

John

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Tuesday, August 8, 2017 at 3:16 PM
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Roadmap discussion and update

 

Sarah – Thanks for sending the summary.

 

I would suggest we keep with our plan for a Fall release of STIX 2.1 that includes:

 

  • Confidence, Intel Note, Opinion, Internationalization
  • Location, Malware
  • IEP, DNS Request/Response

 

Regarding the items marked in red below, I would suggest that we just take a strategy that if the sub-group reaches sufficient progress by the STIX2.1 cutoff then we include. If not then we push to STIX2.2.

 

  • COA:
    • Given that COA already has a stub in STIX 2.0 I think we can keep that as-is until OpenC2 further progresses and we can incorporate more concrete work around that connection between CTI-OpenC2.
  • Infrastructure:
    • Agree with Rich Struse’s assessment that we lack strong consensus on the definition of this work and its not clear it would come together sufficiently well to make the deadline.
  • Event/Incident:
    • I feel that this area is a lot closer to a good enough definition that others might think. I hope we can include this in STIX2.1 but wouldn’t hold STIX2.1 for this. Delivering later in STIX2.2 would be fine for this one.

 

 

regards

 

 

Allan Thomson

CTO

+1-408-331-6646

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Tuesday, August 8, 2017 at 10:04 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Roadmap discussion and update

 

CTI-TC,

 

We wanted to send a follow-up email regarding the roadmap conversation that was started on the last monthly call. From our original list of items we wanted to have in STIX 2.1, this is where we stand:


 

Finished:

  • Confidence, Intel Note, Opinion, Internationalization

Mostly done:

  • Location (review), Malware (finishing development, Friday call)

In Progress:

  • IEP, DNS Request/Response (Tuesday working call)

Still to come (or in mini-group):

  • COA, Infrastructure, Event/Incident

 

As mentioned during the meeting(s), we aren’t making fast enough progress through our roadmap in order to get all of these objects into a fall release. We have three choices:

  • Schedule more meetings, move faster
    • Instead of having 2 working calls per week, we could increase to 3 or 4.
    • In the opinion of the co-chairs, this is not really reasonable given our past experience trying to move faster.

 

Which really leaves us with two choices:

  • Accept it and delay the release
    • Trying to finish all these topics would probably push our release date for STIX 2.1 into spring or summer of 2018.
    • We would have to be cognizant of scope creep, not allowing new items to become “necessary” for 2.1 or the release date will be continually pushed.

 

  • Remove items from the release in order to get the things that are done or nearly done out sooner (deadline for new material would be Sept 30 so editorial work can begin in October) while giving us time to work on the things that need the time
    • Would keep things that are basically done: Internationalization, Confidence, Intel Note, Opinion, Location and Malware
    • Probably keep proposals that are fairly polished and just need to be reviewed: IEP, DNS Request/Response
    • Likely defer items that still have a lot of work: Infrastructure, COA, and Event

 

The general consensus of the co-chairs (without unanimity) is that that the third option is the most logical at the moment. Setting a hard deadline of Sept 30 would allow us to get a 2.1 update out with important new objects, but also allow us to give certain large topics (like COA, Infrastructure and Event) the full time and attention they need to get them right by pushing them to a later release.  This would also allow our October F2F to focus on kick starting STIX 2.2.

 

Given that this committee works via consensus and that the co-chairs do not decide anything unilaterally, we would like to open this conversation up for wider discussion. Please chime in and let everyone know your preference. 

 

Thanks,

  

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
.....



This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]