The following are comments on
the Oasis “Cyber Threat Intelligence (CTI)
Technical Committee” draft charter from
Cory Casanave of Model Driven Solutions.
Basis of interest: Model Driven
Solutions is a submitter to the OMG
Operational Threat & Risk Model RFP (http://www.omg.org/cgi-bin/doc.cgi?sysa/2014-6-17),
which is referenced in the draft CTI
charter (https://lists.oasis-open.org/archives/members/201504/msg00006.html
). There is substantial overlap but some
important differences in the intent and
substance of the OMG standards effort and
that as proposed by the Oasis CTI TC.
These comments are intended to help both
organizations develop standards that are
in the best interests of the community of
vendors, consumers and other stakeholders.
Of particular importance is
making sure that Cyber threats and risks
are not made yet another “stovepipe” as we
are faced with a world where the
boundaries between the physical and cyber
world are porous and an estimated 80% of
threats are blended between cyber and
physical. Protecting our citizens,
property and critical infrastructure
requires that we can “connect the dots”
between all hazards and all risks from
threat actors, system failures and natural
disasters. This federation of information
must happen at “machine speed” to enable
effective and responsive analytics and
information sharing to prevent and
mitigate the impacts of threats and risks.
The STIX/TAXII/Cybox
schema represent important work within the
cyber community for cyber threats and
risks. It is appropriate and necessary
that the Cyber community have detailed and
specific exchange formats that are tuned
to the needs of cyber professionals. The
same is true of other domains and
“verticals” such as law enforcement,
critical infrastructure protection,
terrorism, biological, nuclear, and
responses to natural disasters. Yet these
domains and the related organizations must
work closely together, often in difficult
and unexpected situations.
To enable the focus needed for
specific communities while preserving
cross-community collaboration, information
federation and information sharing the OMG
threat & Risk model initiative is
creating a standard UML conceptual model
that federates the concepts from these
multiple domains, based on the existing
work such as is found in the STIX/TAXII/Cybox (as
well as others). This UML model will then
be mapped to the existing exchange
formats, such as STIX
(and others), to provide the basis for
semantic and syntactic information
federation, analytics and sharing. The OMG
initiative is not defining any new data
schema – we have enough. The RFP has been
issued and initial submissions will be
presented in May. The submission team is
open (see
http://www.threatrisk.org)
and STIX community
members have monitored our progress.
To relate the two efforts: The
OMG effort is broader and shallower where
as the CTI effort is deeper and narrower.
Both efforts intend on providing UML
models of the concepts (this fact is not
explicit in the charter but has been made
public on the STIX
lists). The CTI effort is also specifying
exchange data structures such as XML
schema, the OMG effort is not defining any
new schema but is mapping between schema
(standard, community or proprietary).
However, schema could be generated from
the UML models. In that the OMG effort has
STIX/TAXII/Cybox as
a normative input and mapping the proper
representation of the broad threat/risk
and general concepts within STIX/TAXII/Cybox are or
will be defined in the OMG conceptual
model. Approximately 75% of this model has
a direct correlation to STIX/TAXII/Cybox
such that the STIX/TAXII/Cybox
Cyber specific concepts could be
considered an extension to the OMG
conceptual model.
While STIX/TAXII/Cybox
are clearly focused on Cyber, a reading of
the charter where the term “Cyber” was
removed would correspond almost directly
to the intent of the OMG threat/risk
effort. What this suggests is that much of
what is needed is in fact cross domain and
not specific to Cyber. If not specific to
Cyber there is an almost complete overlap
with the OMG effort. It would be
confusing, a waist of effort and a
disservice to both vendors and our
defenders to come out with redundant
standards covering almost the same space.
As stewards of standards it is our
responsibility to make sure such efforts
are coordinated, complementary and
properly scoped.
It is our position that these
efforts must be complementary by charter
and that the following be included in that
charter:
·
That the CTI effort will include a
UML representation of Cyber concepts (Our
understanding is that this is the current
intent)
·
That there will be an explicit
mapping of this model to technology
specific schema, such as XML schema (Our
understanding is that this is the current
intent)
·
That the CTI UML representation be
an extension of the OMG operational threat
and risk model (This is an additional
constraint)
·
That the OMG effort must include a
foundation appropriate for extension to
the CTI model (A current requirement of
the RFP)
Cross membership and cross
participation will ensure that these
requirements are both met and that both
efforts meet their objectives. Based on
the substantial time we have spent
evaluating both models such collaboration
and integration is practical and would
benefit both efforts.
Regards,
Cory Casanave
CEO, Model Driven Solutions
BoD, Object Management Group
Threat/Risk submitter
The above comments are from Cory
Casanave representing Model Driven
Solutions and do not necessarily represent
the position of the other contributors and
submitters to the OMG effort. Other
stakeholders are encouraged to also submit
comments to Oasis via carol.geyer@oasis-open.org.