OASIS Cyber Threat Intelligence (CTI) TC

 View Only
  • 1.  Re: [cti] Observable Debate

    Posted 11-01-2018 14:47




    Bret Any ballot is premature. We need further discussion and ideas on the table.
     
    Allan
     

    From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
    Date: Thursday, November 1, 2018 at 7:45 AM
    To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
    Subject: [cti] Observable Debate


     


    Maybe we should do a non-binding ballot at this stage, open to all TC members not just voting members, just to get a pulse of where the TC is at.  


     


    Possible ballot question: What do you think the TC should do in regards to Observed Data and Cyber Observables based on the discussions that have been happening on the list?


     


    1) Do nothing, leave everything as is


     


    2) Do nothing for 2.x but target a change for 3.0 and define a timetable to start work on 3.0 


     


    3) Leave Observed Data as is, but also allow cyber observables to become top-level objects.  This would be two ways of doing something, but would not break any existing code. This would allow a
    transition over time. 


     


    4) Make cyber observables top-level objects and make Observed Data contain a list of embedded references (option 1 prime)


     


    5) Change Observed Data and Relationships to allow for deep referencing (Medusa or Medusa-like solution)


     


    6) Change Observed Data so that it becomes a generic wrapper for cyber observables and some relationships are made external and some are kept as internal (not to be confused with our use of embedded
    relationships). Basically option 7 with some of John Wunder's tweaks. 


     


    7) Other - User added solution 


     


     


     


    Maybe this would help us figure out how far away we are?  Maybe it could eliminate an option or two to focus the discussion?


     


    Bret








  • 2.  Re: [EXT] Re: [cti] Observable Debate

    Posted 11-01-2018 14:55
    As I said, it would be a non-binding ballot.  Basically just a show of hands.  Maybe this would help get some more ideas?  Who knows. Bret From: Allan Thomson <athomson@lookingglasscyber.com> Sent: Thursday, November 1, 2018 8:46:25 AM To: Bret Jordan; cti@lists.oasis-open.org Subject: [EXT] Re: [cti] Observable Debate   Bret – Any ballot is premature. We need further discussion and ideas on the table.   Allan   From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> Date: Thursday, November 1, 2018 at 7:45 AM To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: [cti] Observable Debate   Maybe we should do a non-binding ballot at this stage, open to all TC members not just voting members, just to get a pulse of where the TC is at.     Possible ballot question: What do you think the TC should do in regards to Observed Data and Cyber Observables based on the discussions that have been happening on the list?   1) Do nothing, leave everything as is   2) Do nothing for 2.x but target a change for 3.0 and define a timetable to start work on 3.0    3) Leave Observed Data as is, but also allow cyber observables to become top-level objects.  This would be two ways of doing something, but would not break any existing code. This would allow a transition over time.    4) Make cyber observables top-level objects and make Observed Data contain a list of embedded references (option 1 prime)   5) Change Observed Data and Relationships to allow for deep referencing (Medusa or Medusa-like solution)   6) Change Observed Data so that it becomes a generic wrapper for cyber observables and some relationships are made external and some are kept as internal (not to be confused with our use of embedded relationships). Basically option 7 with some of John Wunder's tweaks.    7) Other - User added solution        Maybe this would help us figure out how far away we are?  Maybe it could eliminate an option or two to focus the discussion?   Bret


  • 3.  RE: [EXT] Re: [cti] Observable Debate

    Posted 11-01-2018 15:44
      |   view attached
    I would agree with Allan that it’s far too early for any kind of ballot, non-binding or otherwise. Some of these ideas have yet to even be fleshed out, so trying to vote on an incomplete proposal is asking for trouble.   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Bret Jordan Sent: Thursday, November 1, 2018 10:55 AM To: Allan Thomson <athomson@lookingglasscyber.com>; cti@lists.oasis-open.org Subject: [cti] Re: [EXT] Re: [cti] Observable Debate   As I said, it would be a non-binding ballot.  Basically just a show of hands.  Maybe this would help get some more ideas?  Who knows.   Bret From: Allan Thomson < athomson@lookingglasscyber.com > Sent: Thursday, November 1, 2018 8:46:25 AM To: Bret Jordan; cti@lists.oasis-open.org Subject: [EXT] Re: [cti] Observable Debate   Bret – Any ballot is premature. We need further discussion and ideas on the table.   Allan   From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Bret Jordan < Bret_Jordan@symantec.com > Date: Thursday, November 1, 2018 at 7:45 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: [cti] Observable Debate   Maybe we should do a non-binding ballot at this stage, open to all TC members not just voting members, just to get a pulse of where the TC is at.     Possible ballot question: What do you think the TC should do in regards to Observed Data and Cyber Observables based on the discussions that have been happening on the list?   1) Do nothing, leave everything as is   2) Do nothing for 2.x but target a change for 3.0 and define a timetable to start work on 3.0    3) Leave Observed Data as is, but also allow cyber observables to become top-level objects.  This would be two ways of doing something, but would not break any existing code. This would allow a transition over time.    4) Make cyber observables top-level objects and make Observed Data contain a list of embedded references (option 1 prime)   5) Change Observed Data and Relationships to allow for deep referencing (Medusa or Medusa-like solution)   6) Change Observed Data so that it becomes a generic wrapper for cyber observables and some relationships are made external and some are kept as internal (not to be confused with our use of embedded relationships). Basically option 7 with some of John Wunder's tweaks.    7) Other - User added solution        Maybe this would help us figure out how far away we are?  Maybe it could eliminate an option or two to focus the discussion?   Bret