Great reminder Rich. âRemember, STIX and TAXII is for sharing data â not processing it.â
There is a another community out at the DHS and NSA sponsored Integrated Adaptive Cyber Defense effort at JHU-APL and while the focus on orchestration is wrapping up there is increasing focus on automated processing of CTI using Analytic
Standards called out in ICD-203 such as the automation of argument-driven inquiry to build out logical arguments in semantic graphs or integrating the CTI using frameworks like the ODNI Cyber Threat Framework or the NSA/CSS Technical Cyber Threat Framework
depending on the community youâre supporting.
Best,
Shawn
Shawn Riley
CDO & CISO
DarkLight
Email: shawn@darklight.ai
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Jason Keirstead
Sent: Wednesday, February 6, 2019 8:42 AM
To: Piazza, Rich <rpiazza@mitre.org>
Cc: Allan Thomson <athomson@lookingglasscyber.com>; Bret Jordan <Bret_Jordan@symantec.com>; cti@lists.oasis-open.org
Subject: Re: [cti] Re: [EXT] Re: [cti] Summary from Working Call
Well said Rich. +1.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: "Piazza, Rich" <rpiazza@mitre.org>
To: Allan Thomson <athomson@lookingglasscyber.com>, Bret
Jordan <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 02/06/2019 10:55 AM
Subject: [cti] Re: [EXT] Re: [cti] Summary from Working Call
Sent by: <cti@lists.oasis-open.org>
FWIW, I have to agree with Allanâs concerns. I am in favor of option 2, because people seem to need it, and it seems sort of harmless. But I think trying to make TAXII a âswiss army knifeâ is not wise.
If you remember, I âledâ the push to release STIX 2.1 last spring, as it âwasâ. Some might argue that the discussions and changes we have made since then have shown that this was a bad idea. I donât know if I agree, but that
is water under the bridge.
But here we are, 10 months later and getting something released is even more imperative. For instance, would have it been so terrible if the changes to cyber observables took place in STIX 2.2, which if we had already released
2.1 would be the version that we were about to release now? No one in the community should be expecting each release to be perfect and complete.
If I remember correctly, we started on STIX/TAXII 2.1 during the Obama administration!
Going forward, I think we need to be more âagileâ in our work. I know developing standards arenât the same as developing software, and having a new version too often has its downsides. There will always be another SDO we want
to eventually be in the standard. There is always going to be a new feature that we want a TAXII server to have. But adding feature after feature means that the release date is always 6 months in the future. And we donât want the standards to be bloated.
Remember, STIX and TAXII is for sharing data â not processing it.
The market will develop and indicate the new features that should be included in future releases, as Allen said.
I know many will violently disagree this â but I think I speak for many in the committee.
Cheers!
Rich P.
From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Tuesday, February 5, 2019 at 5:36 PM
To: Bret Jordan <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] Re: [cti] Summary from Working Call
Bret â I wasnât able to attend the call but an input I have would be that this new capability (whatever option you prefer) should be optional and not required.
This might help remove some objections to having to implement Option 1) vs 2) temporarily.
It also helps remove one of my primary objections which is that we should avoid treating TAXII as a database or interface to a database. That is a slippery slope to duplicating a lot of functionality that databases/indexing and
other query engines were designed/excel at.
So Iâm supportive of organizations that want to implement this in a TAXII server but it should not be mandatory for *all* TAXII servers to do so.
Let the market decide what TAXII server capabilities matter and relevant to buying decisions.
Allan
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Tuesday, February 5, 2019 at 1:10 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Summary from Working Call
All,
On today's working call we talked about TAXII query, search, and pivoting. We had 17 participants on the call today. The consensus on the call was to move forward with adding a simple RESTful endpoint (option 2) to allow pivoting
on relationships. We will also look at a more fully fleshed out query/search solution in a future version of TAXII. Six people on the call voiced support for this option (Rich, Trey, Jeff, John-Mark, Sean, Ryan), and no one objected to moving forward with
this direction.
It is also important to note that Marlon / DHS might have a proposal for how we could address some of the other query use cases using a similar approach to what we are proposing (option 2) for relationships. Once that proposal
is submitted to the TC, the TC can review it and determine if and when it should be adopted.
Thanks everyone for attending the call today. We made a lot of progress. Drew and I will start implementing this in to TAXII 2.1 Working Draft 07.
Thanks
Bret