OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Roadmap discussion and update


Jane,


we've been trying to do just that, we've pointed our issues out back in May and linked to our wiki regarding deficiencies that we face with STIX 2.x when it comes to integration (https://github.com/MISP/MISP/wiki/NotesMISP-STIX2#how-to-represent-a-misp-event-in-stix-2), to which we were advised to come with a simple proposal to remedy the issues (which we did here - https://www.misp.software/Eventproposal-STIX2.1-1.pdf).

After discussions stemming from the above proposal, we were told that an alternate solution could be to enhance the report object with some of the missing meta-data fields that we need (in addition to clarifying that despite its current interpretation, reports don't have to be final published reports, but could be general containers for threat intel information similarly to the intent in STIX 1.2). A simple publish boolean flag on the report object would go a long way for us as a stop-gap solution for now to at least get started (as described here: https://www.misp.software/STIX2.1Reportproposal.pdf).

However this idea was shot down. So at the moment we're not really sure how we're left in limbo, eagerly awaiting a generic event SDO to finally be released. Seeing this crucial missing piece of the puzzle being pushed back is a massive disappointment for us.


Best regards,

Andras


On 10. aug. 2017 14:43, jg wrote:

Andras:

I would also add to what Sarah wrote by noting that having your regular input and participation might push us over the edge of having the confidence to push it through. We need the expertise of the IR community to make sure it is right.

Jane Ginn, MSIA, MRP
Secretary, CTI TC
OASIS
jg@ctin.us
In U.S.: +(928) 399-0509



-------- Original Message --------
From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
Sent: Thursday, August 10, 2017 06:16 AM
To: Andras Iklody <andras.iklody@circl.lu>,"cti@lists.oasis-open.org " <cti@lists.oasis-open.org>
Subject: Re: [cti] Roadmap discussion and update

Andras,

Event/Incident has been on the schedule for the 2.1 release, but as we have started work on this object, the current feeling is that we don’t understand it enough to get the work done in time for a fall release. Work has been done on this object (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) , but the topic is still being debated at length, and many people feel it will not be ready to be included in 2.1 if we still aim to get 2.1 out the door this fall. Hence, the discussion to push Event/Incident back to a 2.2 release, in order to make sure the object is correct and not done in a hurry.

This type of question is exactly why we posed the roadmap conversation to the list.

Does this help frame the conversation?

Sarah Kelley
STIX Co-Chair
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722

<https://msisac.cisecurity.org/>
<https://www.facebook.com/CenterforIntSec> <https://twitter.com/CISecurity> <https://www.youtube.com/user/TheCISecurity> <https://www.linkedin.com/company/the-center-for-internet-security>

On 8/10/17, 6:28 AM, "Andras Iklody" <cti@lists.oasis-open.org on behalf of andras.iklody@circl.lu> wrote:

Hi Trey,

Event/Incident postponed to 2.2? For the MISP community this is the Nr.1
blocker, I thought it was scheduled for 2.1...

Best regards,

Andras


On 09. aug. 2017 21:14, Trey Darley wrote:
> All -
>
> New Context supports an Autumn 2017 release of STIX 2.1 consisting of:
>
> * i18n
> * Confidence
> * Intel Note
> * Opinion
> * Location
> * Malware
> * IEP
> * DNS Request/Response
>
> It is understood that the following work items would be postponed to
> 2.2:
>
> * Event/Incident
> * Infrastructure
> * COA
> * STIX Patterning Extensions
>
> While it is unfortunate that the scope of work has expanded to exceed
> the time initially earmarked for STIX 2.1 development, that should
> come as no surprise to anyone with experience trying to put accurate
> time estimates on complex development efforts.
>
> The TC work items ready to ship for 2.1 are significant. It would be
> unconscionable to artificially delay the release of these extensions
> to the STIX data model and thereby prevent folks from solving
> real-world problems they confront *today* by binding ourselves to the
> mast of an idealistic, completionist definition of STIX 2.1.
>
> Sarah, thanks for the great summary of the crossroads we find
> ourselves at. ^_^
>




This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


. . . . .



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]