[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Text Version of Working Call Meeting Notes
|
Agenda: ÂÂÂÂÂÂÂÂÂ Review of COA Proposal ÂÂÂÂÂÂÂÂÂ Review of Option 1 Proposal
Meeting Notes: ÂÂÂÂÂÂÂÂÂÂÂ Sarah Kelley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Started meeting â turned over to Allan to review COA proposal ÂÂÂÂÂÂÂÂÂÂÂ Allan Thomson ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Reviewed the updates to the Course of Action (COA) SDO for STIX 2.1 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂ https://docs.google.com/document/d/1bkMmU1PxlwlAwjrMmyWV147rvLcRs2x62FicHbpH2gU/edit# ÂÂÂÂÂÂÂÂÂÂÂ Reviewed the changes proposed â Asked for comments on comment sheet ÂÂÂÂÂÂÂÂÂÂÂ Trey Darley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Posed question about changes made with respect to other standards ÂÂÂÂÂÂÂÂÂÂÂ Allan Thomson ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Confirmed that there was effort to harmonize ÂÂÂÂÂÂÂÂÂÂÂ Richard Struse ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Asked for clarification on how the proposed updates would work with other standards ÂÂÂÂÂÂÂÂÂÂÂ Allan Thomson ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Clarified position on this ÂÂÂÂÂÂÂÂÂÂÂ Sarah Kelley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Gave summary of the discussion of 1 Prime & 7 Proposals from F2F ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Discussed background of the two proposals for how to handle Cyber Observables ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Discussed need for Evidence-Based approach â 25 different Models ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Iâll turn over to Sean â Please let him get out his proposal first â then ask questions ÂÂÂÂÂÂÂÂÂÂÂ Sean Barnum ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ What is Option 1? ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We realize there would be an impact on Interop; but we havenât done them yet ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We agree that we would need to change that â but, we wanted to model ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The STIX Spec first ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The link to the list of use cases that were modeled is here: ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit# ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The link to our proposal is here: ÂÂÂÂÂÂÂÂÂÂÂ https://docs.google.com/document/d/1j0gXMp3MFLzHCrudfbDn5NeZSUeBCc8EBsvPsP1epOg/edit ÂÂÂÂÂÂÂÂÂÂÂ Â ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ There are 5 substantive changes. 1.ÂÂÂÂÂ Observables keep their same type structure but are now TLOs oÂÂÂ Semantically the same thing (a file is still a file, a domain-name is still a domain-name, etc) 2.ÂÂÂÂÂ Observed-data.objects now contains references to the observable objects rather than defining them inline oÂÂÂ Semantically the same thing (observations still specify the observables they observed) 3.ÂÂÂÂÂ Observed-data.objects can now contain references to relationships oÂÂÂ Semantically the same thing (the relationships were already there as properties on the observable objects) 4.ÂÂÂÂÂ Inter-Observable relationships currently expressed as properties on source object are broken out into Relationships oÂÂÂ Semantically the same thing oÂÂÂ Is needed anyway for numerous reasons 5.ÂÂÂÂÂ Extensions are possible on all STIX objects ÂÂÂÂÂÂÂÂÂ NO change in overall semantics (each type of object still represents the same thing) just in how they are structured ÂÂÂÂÂÂÂÂÂ NO substantive change to any STIX Objects other than observed-data ÂÂÂÂÂÂÂÂÂ NO substantive changes to any Observable Object types except breaking out relationship properties that should be relationships ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Made argument that SOOs are top level objects â SDOs and SROs can relate directly ÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Went through the specific proposed changes to Part 2 & 4 if the proposal accepted ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Noted that Part 3 would be deleted (merged with Part 2) ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Real focus was on substantive changes â we didnât try to update the editorial things ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Some of the code may need to be updated ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We are still working on the Rational for all of these proposed changes ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Part was driven by the Use Cases that were presented ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ I couldnât get to the Rational yet â but, Iâll get it out to you ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ You should all have edit rights on the document ÂÂÂÂÂÂÂÂÂÂÂ Sarah Kelley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Gave a summary of the proposed changes to Option 7 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Changes to Timestamps â Optionality & how handled for Extensions ÂÂÂÂÂÂÂÂÂÂÂ Sean Barnum ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ I didnât realize that was part of Option 7 ÂÂÂÂÂÂÂÂÂÂÂ Sarah Kelley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Opened the floor for questions ÂÂÂÂÂÂÂÂÂÂÂ John-Mark ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ If Cyber Observables are TLOs, how do you know if an observation changes with versions? ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We donât have any links on the SDOs that would handle the versioning issue? ÂÂÂÂÂÂÂÂÂÂÂ Sean Barnum ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Discussed options for handling versioning issues â Not in proposal â we did think about ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ This problem holds true for any relationship in STIX ÂÂÂÂÂÂÂÂÂÂÂ John-Mark ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Iâve long been pushing for adding the âModifiedâ â But, does not completely solve ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The problem ÂÂÂÂÂÂÂÂÂÂÂ Jeffrey Mates ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Explained how it could work for SROs ÂÂÂÂÂÂÂÂÂÂÂ Allan Thomson ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ With this proposal we are elevating Cyber Observables to TLOs ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Iâm looking at an example of this â [gave example of infection on a laptop] ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ In our current proprietary JSON schema â explained how ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Design criteria was âEfficiencyâ â As fast as possible ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ When we mapped to STIX, it was closely related â All same Time Stamps ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂ If you break apart, they no longer related ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ If I understand your proposal correctly, I cannot show the relationships efficiently ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ It is very inefficient ÂÂÂÂÂÂÂÂÂÂÂ Gary Katz ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ If you are defining a custom schema specific to your organization â that will be ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ More efficient â With this broader application the schema has to be more flexible ÂÂÂÂÂÂÂÂÂÂÂ Allan Thomson ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The issue is:Â When does data become Intelligence, and how to you represent that ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We seem to be conflating data and intelligence ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ We donât want to lose context ÂÂÂÂÂÂÂÂÂÂÂ John-Mark Gurney ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ I agree with Allan on this â having spent the last two years writing code for this ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ This new version really worries me because youâre going to need ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ A relationship for every object ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Writing code for this will be extremely complicated ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Our existing approach is much easier to code ÂÂÂÂÂÂÂÂÂÂÂ Sean Barnum ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ I would say that we will have greater efficiency at scale ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The first question is:Â Can we convey what we want to convey ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ The current way of doing things shows us that we need more expressivity ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Gary has an example of what I mean ÂÂÂÂÂÂÂÂÂÂÂ Trey Darley ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ This is not a trivial change â and given that FE has not had a chance to develop ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ A rational ÂÂÂÂÂÂÂÂÂÂÂ Gary Katz ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Went through a comparison Gary Katz ÂÂÂÂÂÂÂÂÂÂÂ
The
crux of the problem is that we cannot relate some of the
SDOs John-Mark Gurney ÂÂÂÂÂÂÂÂÂÂÂ
I see
these things representing two different things  Gary Katz ÂÂÂÂÂÂÂÂÂÂÂ
Made
observation about how to update  Richard Struse ÂÂÂÂÂÂÂÂÂÂÂ
I was
the one at the F2F for us to focus on evidence-based
decision making ÂÂÂÂÂÂÂÂÂÂÂ
We
need to look at the technical issue â but, we also have to
look at the
reputational risk ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
We
need to look at this with respect to the broader
implications for the TC ÂÂÂÂÂÂÂÂÂÂÂ
I
applaud these kinds of conversations â Good modelling ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
Letâs
make sure the proponents of Option 1 and Option 7 each
should come with ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
Evidence-based
models and codes John-Mark Gurney ÂÂÂÂÂÂÂÂÂÂÂ
Noted
that when new proposals come out it pushes out our dates Richard Struse ÂÂÂÂÂÂÂÂÂÂÂ
I
realize that â But we need to be able to convey to the
broader community ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
That
we considered all proposals Trey Darley ÂÂÂÂÂÂÂÂÂÂÂ
Weâll
continue this discussion next week â Thanks all! Â Â Chat
Panel: Â From jmg to Everyone:Â
12:43 PM Jeff, yeah, if we add modified to
id refs, and require
that the observed data contains ALL the objects, both
SRO/SDOs, then yeah, it's
addresses my concerns with my raised points. From Jeff Mates to Everyone:Â 12:44 PM nice From jmg to Everyone:Â
12:51 PM but not other points... if you do dedup'ing yes, but that
is VERY expensive...
ZFS has demonstrated that deduping is expensive and not at
all effecient.. From Sarah Kelley to Everyone:Â 12:52 PM Sean, would it be possible for
you to make a list of
some of the things you can do in 1 that can't be done in
7? Like a summary of
the UC docs? Nevermind. That's what Trey is
asking From jmg to Everyone:Â
12:59 PM gary, please update the slide to
match and convey the
same information, i.e. each one should have same number of
observed data
objects and malware analysis objects..Â
and send to the list. From sean.barnum to Everyone:Â 01:01 PM The Option1 example does not need
to have any
observed-data objects to be the same it is not necessarily conveying
an observation. Slide1
may be just conveying intelligence of what the producer
believes. The observed-data are in the
Option7 example because
there is NO way to convey what is inside them without
those wrapper objects That is the nut of Option1 vs
Option7 From Jeff Mates to Everyone:Â 01:01 PM they don't need the same number
of observed data since
the issue can be bypassed while option 7 can force it but
that just leads to
fake values From jmg to Everyone:Â
01:01 PM that doesn't require a split IMO,
there are solutions
around that... From sean.barnum to Everyone:Â 01:01 PM @jmg, please show them to me From jmg to Everyone:Â
01:03 PM I've proposed adding the cyber
observable object ref
to the end of an identifier to look "into" the cyber
observable
objects... others have as well..ÂÂ Â -- Jane Ginn, MSIA, MRP CTI TC Secretary, OASIS +1 (928) 399-0509 jg@ctin.us |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]