Re: [cti] Working call notes Nov 6, 2017

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

- I do not like Option 4. Many products
can't understand TLP. 

- I do not like Option 3 because it
is at the marking level whereas IEP is much more complicated (what if you
understand some policies and not others?)

- Option 5 doesn't answer the question
in isolation, it's an "also....". You still need to pick 1/2/3/4
along with that....

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 "Wunder, John
A." <jwunder@mitre.org>
To:      
 "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>
Date:      
 11/07/2017 04:43 PM
Subject:    
   Re: [cti] Working
call notes Nov 6, 2017
Sent by:    
   <cti@lists.oasis-open.org>

---

Unfortunately the slide deck I presented
seems to have disappeared, computers are hard! But, here are the options
we talked through on the call that are referenced from the notes that Sarah
sent. Note that the order is different than my earlier e-mail.
 
Option 1: Add language to the data markings
portion of the specification to specify that markings are informational
from a STIX perspective.
“Data marking support in this standard
is present in order to facilitate data interchange within and amongst trust
group communities. While the standard defines the methodology to communicate
data markings, and also includes standard definitions for select marking
types, it does not attempt to define how individual software implementations
must or must not behave with respect to any individual marking. Understanding
that the behavior of any individual software implementation with regard
to data markings is highly context-specific and thus out of scope of this
standard, support of any specific marking type is considered OPTIONAL.”
 
Option 2: Defer including IEP for STIX
2.1 and take the time to address the implementability and verifiability
issues that have been brought up with IEP
 
Option 3: Add a property to data markings
to specify whether consumers must understand them or not (i.e. may_understand
vs. must_understand) <- Proposed by Mark Davidson on the call
 
Option 4: Specify that TLP is always a
must_understand and IEP is always a may_understand. <- Proposed by Chris
Ricard on the call
 
Option 5: Add the list of markings that
must/may be understood to TAXII to specify as part of a TAXII collection
or channel. <- Proposed by Terry MacDonald on the call
 
John
 
From: <cti@lists.oasis-open.org>
on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Tuesday, November 7, 2017 at 4:09 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Working call notes Nov 6, 2017
 
Here are the notes from the working call
we just finished. 
 
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information
Sharing and Analysis Center (MS-ISAC)          
        
31 Tech Valley Drive
East Greenbush, NY 12061
 
sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations
Center
SOC@cisecurity.org- 1-866-787-4722

This message and attachments may contain
confidential information. If it appears that this message was sent to you
by mistake, any retention, dissemination, distribution or copying of this
message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments. 

. . . . .