OASIS Cyber Threat Intelligence (CTI) TC

Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal: Create CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join: Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B be more useful to you?") Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format: The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg  

Joerg: I believe this is a sound proposal.  It picks up on some of the ideas that were expressed very early on when the CTI-TC was just being formed to have an 'Engagement' Subcommittee.  This would give an opportunity for more people to get involved in meaningful ways in making the CTI protocols better for the entire Community.  I applaud your willingness to take this on. And Thanks to Carol for helping to shape the vision. Jane Ginn, MSIA, MRP Co-Secretary, CTI-TC jg@ctin.us On 8/8/2016 5:43 AM, JE wrote: Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal: Create CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join: Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ( Would approach A or B be more useful to you? ) Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format: The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   -- _________________________ R. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us (928) 399-0509

It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...  I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote: Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ( Would approach A or B be more useful to you? ) Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I would support this being set up in OASIS and think it would be a pretty good value add.
 
For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.

 

From:
<cti@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Monday, August 8, 2016 at 1:50 PM
To: JE <je@cybersecurityscout.eu>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, Carol Geyer <carol.geyer@oasis-open.org>
Subject: Re: [cti] Proposal to create CTI User Council


 



Caution: This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender.



It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either... 

 


I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material
for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS
members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.  


 


 


 








Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:

 


Dear all,


as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical
Committee and volunteer to take care about it.


  Proposal:   Create   CTI User Council , a neutral forum in which corporate end users
voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee. 


  Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the
standards without engaging in day-to-day spec development issues. 


  Goals:


Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements,
mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world
problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical
disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process.

Activities:


CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports
on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B
be more useful to you?") Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held
alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC.

Format:   The CTI User Council would be formed as a Subcommittee
of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name.


Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated!


Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight),


Joerg




 



NOTICE TO RECIPIENT:  
If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  
If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  
Thank you.

But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone that is not a full member of the TC must use the public comment solution.   Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote: I would support this being set up in OASIS and think it would be a pretty good value add.   For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.   From:   < cti@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Date:   Monday, August 8, 2016 at 1:50 PM To:   JE < je@cybersecurityscout.eu > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   Caution:   This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...    I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.         Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:   Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ( Would approach A or B be more useful to you? ) Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   NOTICE TO RECIPIENT:     If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.     If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.     Thank you. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

Bret is right, and my (albeit limited) involvement with this TC is about to come to an end for the same reason—the requirement of OASIS membership to participate.
The team within Citrix that managed our relationship with OASIS were caught in a RIF at the beginning of the year. Our membership will lapse soon, along with my ability to participate in the TC.
 
If we constrain user community involvement to OASIS membership, we’ll be responsible for a disservice to the rest of CTI user community, the vast majority of
whom are not OASIS members.
 
Joey

--
Joey Peloquin , Principal
Architect, XenMobile Security Operations
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
m
(817) 412-0475
o (954) 229-5649

e joey.peloquin@citrix.com

 


From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Monday, August 08, 2016 4:18 PM
To: Michael X. Slavick <Michael.Slavick@kp.org>
Cc: JE <je@cybersecurityscout.eu>; cti@lists.oasis-open.org; Carol Geyer <carol.geyer@oasis-open.org>
Subject: Re: [cti] Proposal to create CTI User Council


 
But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually "members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone
that is not a full member of the TC must use the public comment solution.  

 








Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.  


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote:

 


I would support this being set up in OASIS and think it would be a pretty good value add.


 


For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their
organization to ask for assistance.


 



From:   < cti@lists.oasis-open.org >
on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
Date:   Monday, August 8, 2016 at 1:50 PM
To:   JE < je@cybersecurityscout.eu >
Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >,
Carol Geyer < carol.geyer@oasis-open.org >
Subject:   Re: [cti] Proposal to create CTI User Council




 





Caution:   This email came from outside Kaiser Permanente.
Do not open attachments or click on links if you do not recognize the sender.




It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either... 



 




I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building
lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As
they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.  




 




 




 










Thanks,




 




Bret





 




 




 





Bret Jordan CISSP



Director of Security Architecture and Standards Office of the CTO




Blue Coat Systems





PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050




"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











 





On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:



 




Dear all,




as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council
as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.




  Proposal:   Create   CTI User Council , a neutral
forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee. 




  Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.)
who want to track and influence the standards without engaging in day-to-day spec development issues. 




  Goals:




Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting
adoption of common best practices;
Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems;
Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes;
Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process.


Activities:




CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with
the SCs' work without the need to follow daily SC email exchanges. 
As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B be more useful to you?")
Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless
Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission
to main CTI TC.


Format:   The CTI
User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name.




Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated!




Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight),




Joerg






 




NOTICE TO RECIPIENT:     If
you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.    If you have received this e-mail in error, please notify the sender immediately
by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.    Thank you.




 

This is why I fully support the creation of a users group for STIX/TAXII...  But it really needs to happen outside of OASIS land.  The group should self elect some reasonable leaders to manage and run it.  I can see two very interesting sides to this coin: 1) Analysts trying to use a product that is based on STIX, or an analysts trying to do something directly with STIX. 2) Product Managers / Developers that are trying to implement products based on STIX.   It seems like a win-win for the community.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Aug 8, 2016, at 14:30, Joey Peloquin < joey.peloquin@citrix.com > wrote: Bret is right, and my (albeit limited) involvement with this TC is about to come to an end for the same reason—the requirement of OASIS membership to participate. The team within Citrix that managed our relationship with OASIS were caught in a RIF at the beginning of the year. Our membership will lapse soon, along with my ability to participate in the TC.   If we constrain user community involvement to OASIS membership, we’ll be responsible for a disservice to the rest of CTI user community, the vast majority of whom are not OASIS members.   Joey -- Joey Peloquin , Principal Architect, XenMobile Security Operations Citrix Systems, Inc.     851 West Cypress Creek Road     Fort Lauderdale, FL 33309 m   (817) 412-0475     o   (954) 229-5649     e   joey.peloquin@citrix.com   From:   cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ]   On Behalf Of   Jordan, Bret Sent:   Monday, August 08, 2016 4:18 PM To:   Michael X. Slavick < Michael.Slavick@kp.org > Cc:   JE < je@cybersecurityscout.eu >; cti@lists.oasis-open.org ; Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone that is not a full member of the TC must use the public comment solution.     Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote:   I would support this being set up in OASIS and think it would be a pretty good value add.   For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.   From:   < cti@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Date:   Monday, August 8, 2016 at 1:50 PM To:   JE < je@cybersecurityscout.eu > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   Caution:   This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...    I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.         Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:   Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ( Would approach A or B be more useful to you? ) Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   NOTICE TO RECIPIENT:     If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.    If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.    Thank you. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

All,   I have often spoken in terms of a three-tiered pyramid with respect to CTI standards.  Here is how I see it:   1.        At the tippy-top are the people and organizations that are sufficiently invested in the evolution of CTI standards that they choose to become OASIS CTI TC members and actively contribute to the development of the specifications in real-time.   2.        The next layer down is the somewhat larger universe of people and organizations that have an interest in monitoring the development of CTI standards and on occasion commenting on the developments they observe.  They are not OASIS CTI TC members but probably are subscribers to the cti-users list.  Over time they may decide to become CTI TC members.   3.        The base layer is the universe of people and organizations who use and/or benefit from (directly or indirectly) the standards the CTI TC produces.  For example, they may write code to produce/consume STIX/CybOX, they may run a SOC that uses STIX/TAXII-compliant products or they may write requirements for STIX/TAXII into procurement language.  None of this necessitates that they be involved in the shaping of STIX/TAXII, they are simply consumers of the standards who benefit from the work of the CTI TC and OASIS rules that guarantee the standards will be freely available in perpetuity.   As I think about this, any viable user group needs to focus on the needs of groups 2 and 3.  Group 1 is already well-represented in OASIS.  To be clear, I would hope that each and every CTI TC member would choose to participate in such a user group but the venue must accommodate the target audience.   Rich   From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Joey Peloquin Sent: Monday, August 08, 2016 4:31 PM To: 'Jordan, Bret'; Michael X. Slavick Cc: JE; cti@lists.oasis-open.org; Carol Geyer Subject: RE: [cti] Proposal to create CTI User Council   Bret is right, and my (albeit limited) involvement with this TC is about to come to an end for the same reason—the requirement of OASIS membership to participate. The team within Citrix that managed our relationship with OASIS were caught in a RIF at the beginning of the year. Our membership will lapse soon, along with my ability to participate in the TC.   If we constrain user community involvement to OASIS membership, we’ll be responsible for a disservice to the rest of CTI user community, the vast majority of whom are not OASIS members.   Joey -- Joey Peloquin , Principal Architect, XenMobile Security Operations Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 m (817) 412-0475 o (954) 229-5649 e joey.peloquin@citrix.com   From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Jordan, Bret Sent: Monday, August 08, 2016 4:18 PM To: Michael X. Slavick < Michael.Slavick@kp.org > Cc: JE < je@cybersecurityscout.eu >; cti@lists.oasis-open.org ; Carol Geyer < carol.geyer@oasis-open.org > Subject: Re: [cti] Proposal to create CTI User Council   But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually "members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone that is not a full member of the TC must use the public comment solution.     Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote:   I would support this being set up in OASIS and think it would be a pretty good value add.   For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.   From:   < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date:   Monday, August 8, 2016 at 1:50 PM To:   JE < je@cybersecurityscout.eu > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   Caution:   This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...    I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.         Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:   Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B be more useful to you?") Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   NOTICE TO RECIPIENT:     If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.    If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.    Thank you.   Attachment: smime.p7s Description: S/MIME cryptographic signature

This does not have be an either/or proposition. As Michael says, an OASIS CTI User Council would be a great value-add for members. It would give prospective members a compelling reason to get involved and current members (maybe even Citrix) more justification for staying involved.  That said, an OASIS CTI User Council wouldn't prevent the formation of the kind of non-member SIGs and/or outreach Bret and Rich describe.  A CTI User Council could choose to host non-member round tables, workshops, online forums and other activities to facilitate broad input or communication. Non-member user groups or activities could still be organized wherever there's the will and support. The bottom line is a core group of CTI TC members say they want the benefits of working within an OASIS CTI User Council. I don't see a downside to accommodating that need. --Carol On Mon, Aug 8, 2016 at 4:50 PM, Struse, Richard < Richard.Struse@hq.dhs.gov > wrote: All,   I have often spoken in terms of a three-tiered pyramid with respect to CTI standards.  Here is how I see it:   1.        At the tippy-top are the people and organizations that are sufficiently invested in the evolution of CTI standards that they choose to become OASIS CTI TC members and actively contribute to the development of the specifications in real-time.   2.        The next layer down is the somewhat larger universe of people and organizations that have an interest in monitoring the development of CTI standards and on occasion commenting on the developments they observe.  They are not OASIS CTI TC members but probably are subscribers to the cti-users list.  Over time they may decide to become CTI TC members.   3.        The base layer is the universe of people and organizations who use and/or benefit from (directly or indirectly) the standards the CTI TC produces.  For example, they may write code to produce/consume STIX/CybOX, they may run a SOC that uses STIX/TAXII-compliant products or they may write requirements for STIX/TAXII into procurement language.  None of this necessitates that they be involved in the shaping of STIX/TAXII, they are simply consumers of the standards who benefit from the work of the CTI TC and OASIS rules that guarantee the standards will be freely available in perpetuity.   As I think about this, any viable user group needs to focus on the needs of groups 2 and 3.  Group 1 is already well-represented in OASIS.  To be clear, I would hope that each and every CTI TC member would choose to participate in such a user group but the venue must accommodate the target audience.   Rich   From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Joey Peloquin Sent: Monday, August 08, 2016 4:31 PM To: 'Jordan, Bret'; Michael X. Slavick Cc: JE; cti@lists.oasis-open.org ; Carol Geyer Subject: RE: [cti] Proposal to create CTI User Council   Bret is right, and my (albeit limited) involvement with this TC is about to come to an end for the same reason—the requirement of OASIS membership to participate. The team within Citrix that managed our relationship with OASIS were caught in a RIF at the beginning of the year. Our membership will lapse soon, along with my ability to participate in the TC.   If we constrain user community involvement to OASIS membership, we’ll be responsible for a disservice to the rest of CTI user community, the vast majority of whom are not OASIS members.   Joey -- Joey Peloquin , Principal Architect, XenMobile Security Operations Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 m (817) 412-0475 o (954) 229-5649 e joey.peloquin@citrix.com   From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open. org ] On Behalf Of Jordan, Bret Sent: Monday, August 08, 2016 4:18 PM To: Michael X. Slavick < Michael.Slavick@kp.org > Cc: JE < je@cybersecurityscout.eu >; cti@lists.oasis-open.org ; Carol Geyer < carol.geyer@oasis-open.org > Subject: Re: [cti] Proposal to create CTI User Council   But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually "members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone that is not a full member of the TC must use the public comment solution.     Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote:   I would support this being set up in OASIS and think it would be a pretty good value add.   For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.   From:   < cti@lists.oasis-open. org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date:   Monday, August 8, 2016 at 1:50 PM To:   JE < je@cybersecurityscout.eu > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   Caution:   This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...    I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.         Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:   Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B be more useful to you?") Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   NOTICE TO RECIPIENT:     If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.    If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.    Thank you.   -- Carol Geyer Senior Director, OASIS www.oasis-open.org +1.941.284.0403 -- Join OASIS at: Borderless Cyber Europe 8-9 Sept  Brussels http://borderlesscyber.oasis-open.org/eu16 #borderlesscyber

FYI - looks like we may lose Citrix. "...caught in a RIF" Also, for the notion that the CTI User Council should be outside of OASIS. ---------- Forwarded message ---------- From: Joey Peloquin < joey.peloquin@citrix.com > Date: Mon, Aug 8, 2016 at 4:30 PM Subject: RE: [cti] Proposal to create CTI User Council To: "Jordan, Bret" < bret.jordan@bluecoat.com >, "Michael X. Slavick" < Michael.Slavick@kp.org > Cc: JE < je@cybersecurityscout.eu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Bret is right, and my (albeit limited) involvement with this TC is about to come to an end for the same reason—the requirement of OASIS membership to participate. The team within Citrix that managed our relationship with OASIS were caught in a RIF at the beginning of the year. Our membership will lapse soon, along with my ability to participate in the TC.   If we constrain user community involvement to OASIS membership, we’ll be responsible for a disservice to the rest of CTI user community, the vast majority of whom are not OASIS members.   Joey -- Joey Peloquin , Principal Architect, XenMobile Security Operations Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 m (817) 412-0475 o (954) 229-5649 e joey.peloquin@citrix.com   From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Jordan, Bret Sent: Monday, August 08, 2016 4:18 PM To: Michael X. Slavick < Michael.Slavick@kp.org > Cc: JE < je@cybersecurityscout.eu >; cti@lists.oasis-open.org ; Carol Geyer < carol.geyer@oasis-open.org > Subject: Re: [cti] Proposal to create CTI User Council   But there in lies the problem..  We can not take direct feedback, comments, or suggestions, from people that are not actually "members' of the OASIS TC... Thus all of these people would need to be full members of the OASIS CTI TC....  Anyone that is not a full member of the TC must use the public comment solution.     Thus doing this outside of OASIS would be monumentally easier and give you more flexibility.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 13:55, Michael X. Slavick < Michael.Slavick@kp.org > wrote:   I would support this being set up in OASIS and think it would be a pretty good value add.   For the below of most IR and CTI people not being in OASIS, that is true but each org or member of this CTI group can easily ping folks within their organization to ask for assistance.   From:   < cti@lists.oasis-open. org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date:   Monday, August 8, 2016 at 1:50 PM To:   JE < je@cybersecurityscout.eu > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, Carol Geyer < carol.geyer@oasis-open.org > Subject:   Re: [cti] Proposal to create CTI User Council   Caution:   This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. It feels like this should be done outside of OASIS land, and I would support this if done outside of OASIS land.  I do not think the catch all CTI-Users forum is the place to do this either...    I was always in favor of a users group being setup (outside of OASIS).  I think there would be real value in having a place to talk about usability aspects and implementation aspects.  I could see this group building lot of good material for how to use STIX and TAXII in a security playbook.  But IMHO, it would be best to do this all outside of OASIS land. If you tried to do this in OASIS, then the majority of people you would want to be part of this, could not be.  As they would not be OASIS members.  Most IR people and day-2-day analysts are not members of OASIS, even if their company or organization is.         Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Aug 8, 2016, at 06:43, JE < je@cybersecurityscout.eu > wrote:   Dear all, as already discussed within CTI TC and some of you I’ld like to submit the proposal below to create  a Cyber Threat Intelligence User Council as a sub-group of the OASIS CTI Technical Committee and volunteer to take care about it.   Proposal:   Create   CTI User Council , a neutral forum in which corporate end users voice concerns, discuss best practices, and identify common technical requirements that can be shared with the main CTI Technical Committee.    Who should join:   Non-vendor CTI TC members (banks, healthcare companies, retailers, etc.) who want to track and influence the standards without engaging in day-to-day spec development issues.    Goals: Enable end user members to contribute to CTI standards in ways meaningful to them, such as articulating business requirements, mobilizing support for vertical specializations, and promoting adoption of common best practices; Foster peer-based discussions where non-vendor members can exchange information on pain points and collaborate to address real-world problems; Provide CTI STIX, TAXII, CybOX, and Interoperability Subcommittees with a direct mechanism for obtaining user feedback on technical disputes; Increase adoption of CTI standards and enable a robust CTI ecosystem by engaging more end users in the process. Activities: CTI STIX, TAXII, CybOX, and Interoperability Subcommittees could periodically provide the User Council with summary reports on their progress, allowing Council members to stay current with the SCs' work without the need to follow daily SC email exchanges.  As needed, CTI Subcommittees could poll the User Council for input on specific issues under debate. ("Would approach A or B be more useful to you?") Council members could discuss use cases and share experiences via their own email list and via occasional F2F meetings, held alone or in conjunction with industry events such as Borderless Cyber. Council could produce documents defining business requirements, vertical specializations, and best practices for submission to main CTI TC. Format:   The CTI User Council would be formed as a Subcommittee of the CTI TC (to take advantage of the SC infrastructure) but 'Subcommittee' would not be used in the group name. Also I’ld like to thank Carol for her support to get this going. What are your thoughts about it? Any feedback is highly appreciated! Best Regards from muddy Berlin (weather was better last week @DefCon although hardly seen daylight), Joerg   NOTICE TO RECIPIENT:     If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.    If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.    Thank you.   -- /chet  ---------------- Chet Ensign Director of Standards Development and TC Administration  OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393