Re: [cti] CTI interest in NIEM?

[Keven Ates <klates@fbi.gov>]

I'm very interested. In fact, I'm awaiting NEIM to release as an ontology.  They are working toward that with a JSON-LD representation.  However, the format is unimportant as it can be transformed at will.

STIX is THE defacto standard for the cybersecurity industry and can be found as an ontology in the TAC releases and is instrumental in adoption into our knowledge graph based CTI application for intake and sharing.

Having NEIM do the same will make integration seamless.  Using ontology equalities would be an extremely easy way to align STIX and NIEM terminology...both could exist together or separate as the implementer desires.  This represents the crossroads between the cybersecurity domain and the law enforcement domain.  The two TCs can either lead in this effort or sit on their hands.

As a critique, these protocols as documentation are limiting adoption. Protocol as OWL2 ontology (a "data as documentation" technique) is directly usable in knowledge managements systems and allows for quick adoption.  Shape management such as SHACL is used to validate documents.  We separate "term management" from "documentation management" so that any document dependencies are clearly and separately addressed.

In my opinion, the mountain of NEIM documentation is not very helpful for implementation and could be much more succinct.  It's JSON-LD data representations are more helpful.  However, lacking the underlying ontology to support the data representations creates a "cart before the horse" issue.

Keven

---

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jim Cabral <Jim.Cabral@infotrack.com>
Sent: Sunday, August 20, 2023 10:58:57 PM
To: Duncan Sparrell <duncan@sfractal.com>; cti@lists.oasis-open.org <cti@lists.oasis-open.org>
Subject: [EXTERNAL EMAIL] -  Re: [cti] CTI interest in NIEM?

Firstly, I am hopeful that Duncan and others can help discover and continue to evangelize opportunities for CTI and NIEM to collaborate.

That said, I join Duncan in my concerns that others in the CTI community have not yet embraced NIEM as a model for exchanging information between and among domains. As a long,-term proponent of NIEM and related standards for cross-domsin information sharing, we welcome feedback as to whether this gap is due to unfamiliarity with the NIEM or whether it is to due to specific design choices we in the NIEM technical or business committees have made.

Regardless of whether the CTI community embraces NIEM as a standard for sharing information across domains, we request the CTI stakeholders provide feedback to NIEM regarding any gaps in our current approach

Thank you,

__

Jim Cabral

502-640-4970

---

From: "duncan sfractal.com" <duncan@sfractal.com>
Sent: Sunday, August 20, 2023 3:54 PM
To: cti@lists.oasis-open.org
Subject: [cti] CTI interest in NIEM?

Is there interest in getting NIEM to adopt STIX terminology at a minimum and maybe STIX âin totoâ?

 

Background:

NIEM is an OASIS Open Project (http://niem.github.io/ ) to standardize work the US Government has been doing for several decades (https://www.niem.gov/) for standardizing information exchange within and between federal agencies, State/Local/Tribal/Territorial governments, as well as with private industry. NIEM is quite prevalent in the courts, law enforcement, and legal profession, as well as in select industries (ag agriculture, emergency management, transportation, miliary, â) where the USG had needs for standardizing information exchange. For example, when you get pulled over for a speeding ticket, it's NIEM standards that allow the local police to check what other tickets you got, whether your car was stolen, whether you are wanted for other crimes etc. And itâs unfortunately also how the insurance company knows you got a ticket so they can hike your rates ð.

 

For whatever reason, the âcyber domainâ does not have much support (I believe Iâve been sole attendee with any interest). NIEM sort of acknowledges STIX1.2, as a way to exchange threat information. It will take text/PRâs/editing/etc to actually have NIEM use the current version of STIX.

 

Personally I think this is important, especially as more and more cyber cases end up in court; as well as cyber becomes more important to more industries. However at NIEM meetings, I feel like that Greek guy forever pushing the boulder up hill.

 

Is anyone else interested in participating in NIEM cyber activities? Without more support, Iâm thinking dropping my participation in that effort.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/